Cloudflare + LetsEncrypt

Hello. I’m using TurnkeyLinux with the dehydrated wrapper - everything works great to generate multiple LetsEncrypt certificates. I recently integrated Cloudflare, which works great with Universal SSL.

The site in question is

I’d like to continue using the LetsEncrypt certificate rather than Cloudflare’s Universal SSL and their cert, however I receive the following errors after disabling Universal SSL:


I’ve enabled the following ciphers on my Apache server:


I know that there are sites proxied through Cloudflare that are using their own LetsEncrypt certs, so there is something I am missing. Perhaps it has something to do with the origin pull configuration? I’ve tried this config on both Full and Full (Strict) configs.

Do you have a recommended cipher config? My site receives an A+ at ssllabs.

If I disable the Cloudflare proxy, my site displays just fine with no issues. I can even re-enable Universal SSL and the handshake completes.

Cloudflare only allows you to upload custom certificates on the Business and Enterprise plans.

Can you provide an example of one?

1 Like

I understand - I am not trying to upload custom certificates. I am trying to pass proxied traffic through to my LetsEncrypt that’s hosted on my own server.

cloudflare has this option available: “Full (Strict) Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server”

Yes - an example of one is:

You can see he’s being proxied through Cloudflare, however he’s using his own cert. I suppose I could message him to see how Cloudflare support got it working, I saw his post on the Cloudflare forums.

I was just curious to know if anyone from the community knows the recommended ciphers to be using.

The certificate on your origin, and the certificate on Cloudflare's proxy servers, are not necessarily related.

"Universal SSL" -- or a custom certificate -- are about the certificate on Cloudflare's proxy servers. If you turn off Universal SSL, and don't have another certificate available, Cloudflare's proxy service can't support HTTPS.

If you leave Universal SSL enabled, set "Full (strict)", and use the Let's Encrypt certificate on your origin, the Let's Encrypt certificate will be used to secure the connection between your origin and Cloudflare, and the Universal SSL certificate will be used to secure the connection between Cloudflare and visitors.

For me, that site isn't using Cloudflare. I get a Google Cloud IP address.

1 Like

Understood. I am at a loss as far as why I get these browser messages after disabling Universal SSL - I clearly have a working cert. Thanks for your input.

If you disable Universal SSL, then Cloudflare’s proxy servers do not have any cert at all, regardless of what’s on your origin.

cloudflare has this option available: “Full (Strict) Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server”

do you aware of Cloudflare origin CA?

1 Like

Yes - I tried installing that in my apache config - but it did not work. I shouldn’t need one as my sites are already secured with LetsEncrypt. I will probably just use the Cloudflare SSL, as it seems to work fine.

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/ssl/certs/origin-pull-ca.pem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.