I have a website hosted at my domain and I’m using Cloudflare as a proxy (orange cloud enabled). I’ve already installed an SSL certificate from Let’s Encrypt on my origin server. How can I configure Cloudflare so that it keeps proxying traffic but still uses my Let’s Encrypt SSL instead of Cloudflare’s default SSL? Which SSL/TLS mode should I choose and what settings are required to ensure end-to-end encryption?
My domain is: https://webtechnepal.com
Cloudflare's Universal SSL offering uses multiple CAs, including Let's Encrypt. If you want to configure certificate options, including guaranteeing an LE certificate, you can subscribe to their Advanced Certificate Manager product, which costs money. If you want to upload your own certificate, you have to subscribe to their Business service, which costs a lot of money.
Hi @maxh ,
Thanks, I got the point. I understand that Cloudflare’s Universal SSL uses multiple CAs and configuring certificate options.
There is no "transparent" mode that anyone can use to serve a downstream certificate AND terminate the TLS connection [i.e. proxy the connection].
Thus, CF won't be able to serve your cert [without having the private key].
As stated, it would cost money to ensure CF uses your specified cert while adding nothing of significant value/security to the connection.
Why do you want/need CF to serve your cert?
Or, to perhaps broaden the question, why do you care which cert CF serves, as long as it's a valid one?
Just to add to what the others have said with the practical setup side of things:
With Cloudflare proxying enabled (orange cloud), there are always two separate TLS connections: browser to Cloudflare, and Cloudflare to your origin server. Cloudflare terminates the first one using their own certificate (Universal SSL), and you have no control over that without paying for Advanced Certificate Manager or Business plan.
For the second connection (Cloudflare to your origin), your Let's Encrypt certificate IS being used. Set your SSL/TLS mode to Full (Strict) in the Cloudflare dashboard. This tells Cloudflare to verify your origin cert is valid and trusted, which your LE cert is. "Full" mode also encrypts but does not verify the certificate, so "Full (Strict)" is the better option.
The key point: your LE cert is still doing its job protecting the connection between Cloudflare and your server. Visitors see Cloudflare's certificate in their browser regardless of your origin setup, but the origin connection is encrypted with yours.
One alternative worth knowing: Cloudflare offers free Origin CA certificates specifically designed for the CF-to-origin connection. These are valid for up to 15 years but only trusted by Cloudflare (not browsers directly). If you ever have renewal issues with LE, these are a solid fallback for Cloudflare-proxied sites.