Cloudflare Universal SSL switch Letsencrypt to Digicert CA

Heads up, the Letsencrypt DST Root CA X3 expiration on September 30, 2021 may also impact Cloudflare orange cloud proxy enabled users as Cloudflare’s Universal SSL provides free SSL certificates through 2 CA SSL providers, Digicert or Letsencrypt.

There are a number of solutions for this:

  1. Contact Cloudflare tech support and request that they switch your Cloudflare Universal SSL edge certificates from Letsencypt CA provided to Digicert CA provided SSL certificates.
  2. Upgrade to Cloudflare Advanced Certificate Management (ACM) product at $10/month and you can create your own custom Cloudflare edge SSL certificate and choose Digicert as your CA provider.
  3. Or you can switch your Cloudflare Universal SSL edge certificates from Letsencrypt to Digicert CA provided via the Cloudflare API via the below curl command ran while logged into your SSH session on your server or local computer (Linux).

There are 4 commands below, where the last curl command is a single line command over 5 lines. You need to populate 3 session variables:

  • cfzoneid variable replace the value with your Cloudflare domain’s zone id (found on Cloudflare dashboard overview page’s bottom right side column)
  • cfemail variable replace value Cloudflare account’s registered email address
  • cfglobalkey variable replace the value with your Cloudflare account’s Global API Key found at https://dash.cloudflare.com/profile/api-tokens
cfzoneid='your_domain_zone_id'
cfemail='your_cloudflare_account_email'
cfglobalkey='your_cloudflare_account_global_api_key'

curl -4sX PATCH "https://api.cloudflare.com/client/v4/zones/$cfzoneid/ssl/universal/settings" \
     -H "X-Auth-Email: $cfemail" \
     -H "X-Auth-Key: $cfglobalkey" \
     -H "Content-Type: application/json" \
     --data '{"certificate_authority":"digicert"}'

Hope that helps :grinning:

4 Likes