Thanks for the diagnosis, @_az!
@vishalzambre, when addressing this it’s also important to consider that your Let’s Encrypt certificate obtained with
certbot certonly --manual protects the connection between CloudFlare and your origin server, but only CloudFlare can confirm whether or how that connection is encrypted, since it’s not visible to the Internet as a whole. That connection ought to be encrypted for security, since all of the user data is also transmitted over it, but it depends on your CloudFlare settings and on whether the certificate is installed properly on the origin server.
Also remember that
certonly doesn’t install the certificate in the web server (you have to configure the web server yourself to use the certificate), while
--manual generally doesn’t allow you to renew the certificate with
certbot renew (because it requires manual intervention to perform the renewal process). So you would also have to figure out how you plan to renew the Let’s Encrypt certificate before it expires every 90 days.
If you plan to always use CloudFlare with this service, you could consider using the CloudFlare Origin CA instead:
As they say, it’s free and more secure in this configuration, and I believe you can get a certificate that lasts for 10 years. However, it only works for sites that are behind the CloudFlare CDN; if you switch CDNs or disable CloudFlare, then you’d have to switch back to a publicly-trusted CA like Let’s Encrypt for your certificates.