You can setup LE on backend webserver and tweak the CF config, like I’ve done.
Here are the steps I took:
- Login into CF and select domain you want to work with.
- Select “Crypto” top menu option
- Under SSL select - Full
- Set Always use HTTPS to ON
- On HSTS section - Enable HSTS
Max-Age: 3 months
Include subdomains: Off (change as you wish - read up on it)
- Set to Minimum TLS Version to TLS 1.2
- Opportunistic Encryption: ON
- TLS 1.3: ON
- Automatic HTTPS Rewrites: On
Disable Universal SSL (again read up) by doing this you are no longer using CF SSL certs and use only Certs served by your server.
These steps i’ve carried out on 4 CF hosted sites and work fine for me on an Apache setup. Will soon use same steps on Nginx and see how this goes.
Note: I made sure my apache webserver is able to provide TLS 1.2 and 1.3 support, although you can get away with just 1.2. But for best practice in getting A+ on ssl labs you need at least 2 supported SSL protocol in use, i.e. v1.2 and/or v1.3