CloudFlare with Full SSL (Strict) Setup Not Trusting Let's Encrypt


I’m using CloudFlare with “Full ssl (strict)” option. I have a primary domain with separate COMODO ssl installed.
Then i have installed Let’s Encrypt. And issued a certificate for my subdomain. But that doesn’t work. Cloadflare gives me an error: “Invalid SSL sertificate”.

I think, i have used this command: certbot -i apache -a webroot -w /var/www/html/ -d

My looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>

	DocumentRoot /var/www/html/

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	#Redirect permanent /

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

Any ideas?

contact CloudFlare to see why they think that the subdomain certificate is invalid? Otherwise if you are comfortable with OpenSSL you should be able to review your configurations from the server itself using localhost.

Some more reading:

Especially the requirements below:

Full SSL (Strict): secure connection between the visitor and Cloudflare, and secure and authenticated connection between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate. This certificate must be signed by a certificate authority, have an expiration date in the future, and respond for the request domain name (hostname).


I have also setup a full strict SSL mode with a let’s encrypt certificate on the origin server with no issues.

I suspect the issue is with the certificate installed on the origin server

I can’t confirm this but the command to test the certificate from your origin server is below

by domain that I have setup for end to end encryption is

openssl s_client -connect localhost:443 -servername yourdomainname


Thank you for your tips. I have tried this command and it returned same results like yours.

I have one free domain, i will try to park it on my server and then i will issue SSL sertificate for it. It will be more easy to test it without CloadFlare.

you can choose how cloudflare deals with each subdomain

a quick test is to turn of full protection and test the original server using

This will identify any issues. You can then turn the full encryption back on once you have fixed the issue

below is a screenshot of the alpha subdomain (fully proxied by cloudflare) and beta subdomain (not proxied) the certificate for both is the same. You can do openssl and test on both :smiley:


Oh, thank you! I did not knew, that is possible to turn off Cloudflare protection for subdomain.

Looks, like, that issue is with my configuration files. Because it catches my primary domain SSL sertificate.

I’m also including my primary domain SSL sertificate, maybe there is something wrong.


<IfModule mod_ssl.c>
	<VirtualHost my_ip:443>

		DocumentRoot /var/www/html/

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

	       SSLEngine on
               SSLCertificateFile /etc/apache2/ssl/2017/2cec62807dee0ace.crt
               SSLCertificateKeyFile /etc/apache2/ssl/2017/apache.key
               SSLCertificateChainFile /etc/apache2/ssl/2017/gd_bundle-g2-g1.crt


		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Or should i move this code from default-ssl.conf to my primarydomain.conf ?

don’t quote me on this but from memmory

defaul-ssl.conf will be automatically re-created on restarts
if apache doesn’t match a specific virtualhost it will use the default

           SSLCertificateFile /etc/apache2/ssl/2017/2cec62807dee0ace.crt
           SSLCertificateKeyFile /etc/apache2/ssl/2017/apache.key
           SSLCertificateChainFile /etc/apache2/ssl/2017/gd_bundle-g2-g1.crt

These are i believe what are called snake oil certificates (self signed and auto generated)

Turn cloudflare proxying back on but step it down to Full SSL (self signed certs ok)
Create a VHOST file for the HTTP version of your site only (create file in sites-available and use a2ensite.
Run certbot apache (this should pickup the host name)
Create the certificate
Check (and be very careful that the certificate for the domain is a let’s encrypt one)
Turn on Strict Mode in CloudFlare

I suggest using this approach to give you maximum time to achieve what you want without impacting security (hence the recommendation about turning Full SSL on but not the strict mode)

@schoen - will a HTTPS virtual-host be automatically created?


(recalling that you do need that -a webroot if you’re already behind CloudFlare; -a apache or --apache don’t work behind a CDN)

You don’t need to have an existing HTTPS VirtualHost to use Certbot (either with --apache or with -i apache), and it will create one for you if you don’t have one. It creates it based on your matching HTTP VirtualHost.

1 Like

would -a webroot and -i apache work? This should allow for verification and install of the certificate?

Yes, Apache behind a CDN is a pretty good use case for that combination.

The reason that -a apache is nice is that you don’t have to specify any more configuration and even if you don’t have a webroot at all (like if your web server redirects everything to a web application and doesn’t serve any static files from the filesystem!), that’s still OK. But since -a apache doesn’t work behind CDNs, the -a webroot -i apache combination is a good one in that case.

webroot in turn has more prerequisites, but is also a bit easier to debug.

Thank you for all your help…

I needed to change this:

<VirtualHost *:443> Into>

And now works without Cloadflare. But with Cloudflare it fails.

So, now i have to do this validation ?

hi @BigBug

Umm not sure why you didn’t do what was suggested as this would have created a new virtualhost file rather than updating the default.

Not going to help further :smiley:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.