Regarding SSL at both origin server and Cloudflare

I have setup my domain with cloudflare. I have setup SSL at my server origin with 'Lets Encrypt' and at Cloudflare as well. Cloudflare uses 'Lets Encrypt' as well .I have a couple of questions.

  1. Adding SSL at both sides is any good? Any advantage? Will this reduce speed? Should I disable SSL at origin?

  2. As you can see, with this setup, 'Let's Encrypt' gets 2 requests for SSL for the same website. One from my server and one from Cloudflare. Will this be any problem? Will 'Lets Encrypt' disable my certificate?

Thanks

Hi @cubefun,

(1) It might be slightly slower, but not much. If Cloudflare and your server are using a modern version of HTTP, there's a possibility that it could actually be faster to have HTTPS in some cases.

The security advantage of HTTPS between Cloudflare and your server is that nobody with access to Internet infrastructure (like Internet routers) could use that access to spy on the content of your users' traffic, or to inject malware into connections.

Those concerns are often much higher for connections between end users and Cloudflare (because the end users may be on shared wifi with strangers, who could easily monitor or tamper with their connections if HTTPS were not used), but they do exist in the backbone of the Internet too, especially with governments tapping fiber optic cables, and governments and organized crime hacking routers in order to spy on people. Even though highly visible attacks are much more likely near the end user than they are in data centers, there are still some security advantages to using encryption everywhere.

(2) No, certificates don't contradict each other; each one just states that a certain encryption key is valid for a certain site, but not that other encryption keys might not also be valid at the same time. Let's Encrypt is happy to issue more than one separate certificate concurrently for the same site, and there are several valid use cases for that, including your situation.

There are rate limits for the Let's Encrypt service which do limit the total number of certificates that can be issued during a short time period for the same site

But these limits aren't there because the certificates would somehow invalidate each other, but just to prevent people from intentionally or unintentionally abusing the Let's Encrypt service by using it at an unreasonably high frequency. The limits should also be high enough that your use case should never come close to running into them.

You could also consider using the Cloudflare origin CA, which is a Cloudflare-specific CA that issues Cloudflare-trusted certificates for backend servers. An advantage of this is that you can use the same certificate for a very long time and you don't need any Let's Encrypt client on your own server. A disadvantage is that it's slightly more inconvenient to switch away from Cloudflare once that setup is in place, in case you might ever want to do so.

7 Likes

Thanks @schoen

Another way I am considering is, remove SSL from my origin server. I mean using http. I know it is less secure, but that is okay.

In this case, I don't need to have certbot on my system and I can have SSL from cloudflare forever. No need to change anything in my server.

Will that work?

Thanks.

2 Likes

Yes.

There are some people here and elsewhere who are kind of unhappy that Cloudflare allows that (feeling that it fools some end users about the overall level of cryptographic security in a connection!), but there's no way to stop Cloudflare from allowing it, and they do allow it.

Depending on what kind of site you have and what kind of users you have and what kind of information is on your site, some of your users might be confused or disappointed in the future if they learned that you chose to set it up that way. But that might not be true for every site.

5 Likes

@schoen May I know what is the disadvantage? If I want to move over, I can simply, points to another SSL certificate in my nginx configuration right?

Thanks

2 Likes

Yes, that's right.

If you were using a Let's Encrypt certificate, you could immediately switch without changing your configuration at all.

It's not a huge disadvantage!

4 Likes

You mean to say, If I use 'cloudflare origin CA', I cannot do like this? That is, I cannot simply switch around to another SSL? Its complicated?

Can you point to any document or tutorial on this?

Thanks

1 Like

No, you can switch easily.

I just mean that if you use the Cloudflare origin CA, you have to switch CAs if you change CDNs. If you use Le'ts Encrypt, you don't have to switch CAs if you change CDNs. That's all.

5 Likes

@schoen Thanks.

One question.

Yesterday only I switched to Cloudflare. Is that the best CDN? What you suggest?

1 Like