Cloudflare vs Lets encrypt


#1

Hi
My host provided me with free Lets encrypt SSL. But I use cloudflare. It seems that these two do not work together. The host provider said this to me. I want to sure that they were true.
thanks
My domain is: www.cadamooz.ir


#2

In one respect, it is true. If you use Cloudflare’s CDN/proxy services, then the certificate presented to the end-user when visiting your website will be the one issued by Cloudflare, not Let’s Encrypt.

However, Cloudflare doesn’t prevent you from issuing Let’s Encrypt certificates nor protecting your origin server with a Let’s Encrypt certificate.

It is largely an apples vs oranges comparison.

Cloudflare is a CDN/reverse proxy that features automatic SSL.

Let’s Encrypt is a certificate authority.


#3

The hosting provider might also have meant that some methods of obtaining a Let’s Encrypt certificate don’t work if your server is already behind CloudFlare. This is true, but other methods do work. It’s not impossible in principle. However, a particular hosting provider might have implemented its hosting in a way where that provider would not currently be able to obtain new Let’s Encrypt certificates for customers who have put their services behind CloudFlare’s reverse proxy.

Everything that @_az said is right: if you use CloudFlare, visitors to your site won’t see your Let’s Encrypt certificate, even if you do have one. You could use Let’s Encrypt to protect (only) the connection between CloudFlare and your web server, which is potentially valuable, but people visiting your site won’t know that you’re doing this. CloudFlare also provides an alternative called the CloudFlare origin CA, where CloudFlare users can obtain a free certificate from CloudFlare itself to protect the connection between CloudFlare and the origin server. This is a very reasonable alternative to Let’s Encrypt if you intend to use CloudFlare over the long term. Since only CloudFlare would be connecting directly to your site, that part of the connection would not need to be authenticated by a publicly-trusted certificate authority like Let’s Encrypt.


#4

Thanks.
@schoen put it well:
“However, a particular hosting provider might have implemented its hosting in a way where that provider would not currently be able to obtain new Let’s Encrypt certificates for customers who have put their services behind CloudFlare’s reverse proxy”

I think this is the problem with my host provider. As you said, I think it is better for me to have a Free cloudflare certificate and forget the lets encrypt.
Am I right?


#5

i am using Letsencrypt ssl with cloudflare . i am not facing any issues .
Just make sure
Inside cloudflare --> crypto --> ssl --> full enabled .If its fine everything will work fine .


#6

thanks.
I check there, the option is grayed out. I cant change it. it says
Status: Ineligible for SSL


#7

The problem is with your domain name .www.cadamooz.ir Please talk to cloudflare.

Or pause the site and apply letsencrypt ssl and enable it .


#8

What do you mean? what is wrong with my domain?


#9

Its not working for iran domains.

Update :
Please check orange cloud is enabled for your domain . If its enabled and ssl is ineligible.Its domain issue for the country iran.


#10

Aha.
Thanks.
so what should I do?

should I change my DNS in cpanel and delet cloudflare dns?


#11

I recommend “Talk to support once” for this issue . But the hack is

Note:
Site will load directly from server. Not via cloudflare.


#12

Your hosting provider said it right . Cloudflare wont support iran domains.


#13

recently I asked someone to speedup my site, and they changed some of wordpress options and files and added few plugins. They also create cloudflare account.

I dont know what would happen, if I remove cloudflare DNS from cpanel.


#14

There are many CDN providers in the world. Dont always rely on one .
Ex:
Akamai
Amazon cloudfront
Sucuri

Before purchasing kindly ask them if they support iran domains.
So go for it . Good luck


#15

Assuming that this site needs a CDN at all.


#17

how should I know that my site needs one or not


#18

Cloudflare is basically a webhoster on top of your webhoster. Therefore, it includes some security and load balancing features.

You should want it, if

  • You think, that many (like A LOT) of people are visiting your site at the same time
  • You want your html-files to be cached and sent to the “customer” faster (5ms response time instead of 50ms for example)
  • You fear that someone wants to harm you and DDos your website (put your website down)
  • …some more use cases to add if you like

#19

This is probably true for most people, but unfortunately the rest of this thread shows a policy problem with CloudFlare obtaining certificates issuing for Iranian domains. Let’s Encrypt does allow certificates for Iranian domains (other than governmental domains), but by itself that can’t solve the problem described by other people in this thread, because CloudFlare’s current configuration uses a different certificate authority to obtain the certificates that it presents to the public, regardless of which certificate authority is used by your back-end (“origin”) server.

A CDN like CloudFlare is likely to make your site faster for most users worldwide and also defend against many denial of service attacks where people try to make a site unavailable by overwhelming it with too much traffic. However, some CDNs based in the U.S. seem to limit the services that they provide for Iranian users, so I guess you’ll have to research this when choosing it.

I’ve previously communicated to CloudFlare that Let’s Encrypt would be happy to issue free certificates for CloudFlare to present to the public for all of the company’s Iranian users, but so far CloudFlare hasn’t taken advantage of this option (and maybe faces engineering challenges in doing so). I’ll be happy to remind them about this, but I wouldn’t expect any results quickly.


#20

It may be worth contacting Cloudflare? The last post in the thread linked above was optimistic.

They use multiple CAs, at least one of which isn’t American, but I don’t know what their policies are.


#21

@mnordhoff, thanks for checking the thread—that sounds like potentially good news!