Recommendations for Cloudflare's SSL Settings when using a Let'sEncypt Ceritificate

My domain is: ejectum.net

I ran this command:

It produced this output:

My web server is (include version): Caddy v2.6.2

The operating system my web server runs on is (include version): Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is: Oracle Cloud Infrastructure (OCI)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.1

Hello ,

After a lot of reading, trial and error, I have managed to have my site served with caddy, a Let'sEncrypt certificate and at the same time be proxied by Cloudlfare

I would like to ask what the optimal Cloudlfare SSL settings for a Let'sEncrypt certificate are.

• Should I disable Cloudflare's Universal SSL?

From what I understand, if you make your website work with Cloudflare's SSL Strict setting, everything is being handled by your server (what Cloudflare calls Origin Server)

Currently, all my HSTS, no-sniff etc settings are being handled by my webserver correctly.

• Do I still need to have them enabled on Cloudflare's Edge Certificates?

Since the Let'sEncrypt certificate handles all my traffic,

• do I still have to enable Cloudflare's Authenticated Origin Pulls?

I am including screenshots of the relevant settings and a couple of SSL links FYI.

SSL Report: ejectum.net , HSTS Preload Eligibility .

1. SSL Overview963×1339 76.9 KB

Since only 1 image is allowed to be attached, the rest of my screenshots for the related Cloudflare settings can be found here:

Cloudflare Edge Certificate Settings , Cloudflare Origin Server Settings

Was my description that bad or is it that no one uses Cloudflare with LetsEncrypt certificates?

Maybe my other volunteers have been scared away by the combination of "Caddy" and "Oracle Cloud", I know I was.

I don't have any experience with Cloudflare (except for some experimentation with their DNS service and Certbot), but I can try to answer some of your questions, some with a question as an answer

Why? What's the alternative? AFAIK if you disable Cloudflare Universal SSL, you won't be using Cloudflare any longer? Or, if I read Disable Universal SSL certificates · Cloudflare SSL/TLS docs correctly, use a custom cert or buy an advanced cert. What's wrong with Cloudflare Universal SSL?

That's something different than "Universal SSL". Universal SSL manages the type of certificates used by Cloudflare, "SSL Strict" is a so called (by Cloudflare) "encryption mode" which handles the traffic between Cloudflare and the origin server. See Encryption modes · Cloudflare SSL/TLS docs for more information. Also, "Strict" might not be available for you, as it's restricted to "Enterprise zones". For most Cloudflare uses, "Full (strict)" is the maximum mode available. And even with the previously mentioned "Strict", Cloudflare doesn't use the origin servers cert for incoming connections on their edge server, only for the connection between Cloudflare and the origin.

Beats me.

As Cloudflare explains on https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/:

Authenticated origin pulls help ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of Full or Full (strict) encryption modes.

(Emphesis mine.)

I'm not sure I totally understand the purpose of the questions but basically if your setup currently works then there is nothing you need to change.

Disabling Universal SSL is useful if you need to use DNS validation for your own certs, as Cloudflares own certs use DNS validation and their hidden settings can conflict (specifically the _acme-challenge TXT record). If you just use http validation it's fine.

Full (strict) prevents traffic reaching your server on port 80, so if you are using HTTP validation for your own certs you will struggle to get http validation to work. Full is adequate and allows http through to your server, but if you need to enforce https then you'd do it on your server as redirects or via HSTS.

No it doesn't. "Full (strict)" behaves the same as "Full" except for more strict origin certificate verification. You need "Strict (SSL-Only Origin Pull)" for what you're saying. (As I already explained in my post above.)

Thank you both for sharing your thoughts

I'm just an artist trying to set all this up, I'm pretty sure I'm missing some basic terminology, sorry about that.

The reason I'm using Cloudflare in the first place is because I have my domain registered with them and their DNS services are really easy for me to use.

Part of my confusion is that there's so many different opinions online. This article suggests to disable Universal SSL after having everyhting up and running:

Along with that, you’d have to Disable Universal SSL. Since you’re not using the Cloudflare Universal SSL anymore and instead utilizing the SSLs stored on your server, click on “I Understand” and then confirm.

I thought of asking here since this is the Let'sEncrypto official forum

I fail to see any argument for doing that on that article, let alone a good argument. There's nothing wrong with using Cloudflare Universal SSL in combination with the "Full (strict)" encryption mode. The part mentioning "(…) and instead utilizing the SSLs stored on your server." seems to suggest Cloudflare is bypassed entirely so you wouldn't be using Cloudflare entirely any longer? Seems rather strange to mention in an article claiming to "correctly" use Let's Encrypt with Cloudflare. By disabling Universal SSL you would just be using Let's Encrypt without Cloudflare. Unless you manually upload your Let's Encrypt certificate to Cloudflare I guess, but the article does not mention that at all and is very cumbersome as you would have to manually do that at every Let's Encrypt renewal (on your origin server).

No, I'd just keep using Cloudflare Universal SSL. When using Cloudflare as a free user, Cloudflare will be the TLS endpoint for internet users anyway, nothing is going to change that as a free user, not even by disabling Universal SSL unless you stop using Cloudflare entirely.

Thank you so much for clearing this up Osiris

Your description was fine. But, your questions had little to do with Let's Encrypt specifically and more about general design issues regarding Cloudflare CDN and your Origin Server.

The Cloudflare community would have been more responsive (link here).

We don't generally get involved with overall design. That said, on a slow day I might have commented and I am glad Osiris did.

As "just an artist" I applaud you getting so much to work and asking good questions. You have a fairly complex combination that often puzzles novices.

I agree on the "just an artist" view by @MikeMcQ
You must be wearing your sunglasses at night, because this deer in the headlights can see just fine and did not get runed over by the complexity of it all. Qudos!

Cheers from Miami

@MikeMcQ @rg305 @Osiris thank you for the kind words

To clear this up a bit more, I wasn't looking for an overall oversight of my running system, I just got so confused by Cloudlfare's "we-ssl-your-site-anyway" and I felt I should ask here what is the best way to go because certificates are your thing

Looks like I got the Certbot and caddy configs fine, I'm able to validate via DNS and Osiris reply set me on the right path. Now I can go back and make some content other than the splash page

Once more, many thanks to all of you

That article was quite misleading and inaccurate. Disregard everything you read in it.

If Caddy is preforming HTTP-01 validation, the following page rule that I have used with Let's Encrypt and Cloudflare may interest you, as it keeps the challenges on port 80.

There are better ways to manage those settings than via a Page Rule, but I haven't posted my updated configuration here or in the Cloudflare Community yet.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.