Hello. I’m using TurnkeyLinux with the dehydrated wrapper - everything works great to generate multiple LetsEncrypt certificates. I recently integrated Cloudflare, which works great with Universal SSL.
I’d like to continue using the LetsEncrypt certificate rather than Cloudflare’s Universal SSL and their cert, however I receive the following errors after disabling Universal SSL:
I know that there are sites proxied through Cloudflare that are using their own LetsEncrypt certs, so there is something I am missing. Perhaps it has something to do with the origin pull configuration? I’ve tried this config on both Full and Full (Strict) configs.
Do you have a recommended cipher config? My site receives an A+ at ssllabs.
If I disable the Cloudflare proxy, my site displays just fine with no issues. I can even re-enable Universal SSL and the handshake completes.
I understand - I am not trying to upload custom certificates. I am trying to pass proxied traffic through to my LetsEncrypt that’s hosted on my own server.
cloudflare has this option available: “Full (Strict) Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server”
You can see he’s being proxied through Cloudflare, however he’s using his own cert. I suppose I could message him to see how Cloudflare support got it working, I saw his post on the Cloudflare forums.
I was just curious to know if anyone from the community knows the recommended ciphers to be using.
The certificate on your origin, and the certificate on Cloudflare's proxy servers, are not necessarily related.
"Universal SSL" -- or a custom certificate -- are about the certificate on Cloudflare's proxy servers. If you turn off Universal SSL, and don't have another certificate available, Cloudflare's proxy service can't support HTTPS.
If you leave Universal SSL enabled, set "Full (strict)", and use the Let's Encrypt certificate on your origin, the Let's Encrypt certificate will be used to secure the connection between your origin and Cloudflare, and the Universal SSL certificate will be used to secure the connection between Cloudflare and visitors.
For me, that site isn't using Cloudflare. I get a Google Cloud IP address.
Understood. I am at a loss as far as why I get these browser messages after disabling Universal SSL - I clearly have a working cert. Thanks for your input.
Yes - I tried installing that in my apache config - but it did not work. I shouldn’t need one as my sites are already secured with LetsEncrypt. I will probably just use the Cloudflare SSL, as it seems to work fine.