Prerequisites and exclusions for auto renewal of secure certificates
I've scoured Cloudflare's docs and forum for setting up secure certificates for autorenewal where Cloudflare takes care of it all, but have not been successful in getting it set up correctly. It's not clear to me what are the prerequisites and exclusions to doing this.
Our current SSL/TLS mode is "Full", but we could switch it to "Full (Strict)". We currently use Universal SSL, and we use CF for DNS. Additionally there is a secure certificate from Sectigo installed on this server.
1. Is a Cloudflare origin CA certificate required (https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) ? If not, does the web server itself require any TLS configuration? There is no proxy server between the web server and CF.
2. Do we need the Sectigo certificate on the web server, if we have CF handling cert renewal?
3. Can we use CF to autorenew certificates for a simple apex and wildcard domain (example.com and *.example.com)?
4. Can we use CF to autorenew certificates under the Free plan?
Please help me untangle my 🧠. TIA!
Cloudflare Docs
Cloudflare origin CA
Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption.
5 Replies
Support AI
I'd be happy to help you untangle your SSL/TLS setup with Cloudflare.
1. Cloudflare Origin CA Certificate:
No, a Cloudflare Origin CA certificate is not required for autorenewal. However, if you want to use the "Full (Strict)" SSL/TLS mode, you'll need to ensure that your origin server (web server) has a valid TLS certificate. This can be either a certificate from a public CA (like Sectigo) or a self-signed certificate. Cloudflare will validate the certificate, but it's not necessary to use the Cloudflare Origin CA.
If you choose to use the Cloudflare Origin CA, it will provide an additional layer of security, but it's not a prerequisite for autorenewal.
2. Sectigo Certificate on the Web Server:
If you want Cloudflare to handle certificate renewal, you can remove the Sectigo certificate from your web server. Cloudflare will provision a new certificate for your domain and handle the renewal process. However, if you want to keep the Sectigo certificate on your web server, you can do so, but it's not necessary.
3. Autorenewal for Apex and Wildcard Domain:
Yes, Cloudflare can autorenew certificates for both apex (example.com) and wildcard domains (*.example.com). In fact, Cloudflare's Universal SSL certificates cover both the apex domain and one level of subdomains (e.g., blog.example.com). If you need to cover additional subdomains, you can use Cloudflare's Wildcard SSL certificates.
4. Autorenewal on the Free Plan:
Yes, Cloudflare's autorenewal feature is available on the Free plan. You can use Cloudflare's Universal SSL certificates, which are included with all plans, including the Free plan.
To summarize:
* You can switch to "Full (Strict)" SSL/TLS mode, but ensure your web server has a valid TLS certificate.
* You can remove the Sectigo certificate from your web server if you want Cloudflare to handle certificate renewal.
* Cloudflare can autorenew certificates for both apex and wildcard domains.
* Autorenewal is available on the Free plan.
I hope this helps clarify things for you!
Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
There is no cert installed on a new server that we're migrating this site to, and we have "Full" (not strict) mode currently set.
Aha! That's what's not clear in the docs. Thank you! I'll try a self-signed one to see if that does the trick for now.
I set up the secure cert, and the browser shows that the cert loads, but the connection resets. I can see web server log entries on port 443 for requests that I make to the site.
Should the CF cert we use for *.example.com work with a self-signed certificate with Full mode?
I don't have access to view the firewall configuration to see if that's the problem, unfortunately.
I'll pass along the CF Tunnel option to the network team. Thanks for the tip.
Does the origin server require a certificate to work with Cloudflare Universal TLS?
Support AI
According to Cloudflare's documentation (https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/), when using Cloudflare's Universal TLS (which is included with the Free plan), the origin server does not require a certificate to work with Cloudflare.
In "Full" mode, Cloudflare allows HTTPS connections between your visitor and Cloudflare, but it does not validate the origin server's certificate. This means that the origin server can use a self-signed certificate, a certificate from a private CA, or even no certificate at all.
However, if you want to use "Full (Strict)" mode, the origin server will require a valid TLS certificate that is trusted by Cloudflare. This can be a certificate from a publicly trusted certificate authority or a Cloudflare Origin CA certificate.
So, to answer your question, the origin server does not require a certificate to work with Cloudflare Universal TLS in "Full" mode, but it does require a valid TLS certificate to work with Cloudflare in "Full (Strict)" mode.
Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
Yup. That I understood.
I'm missing a critical piece somewhere to get a secure connection on both legs.
Aha! I had to disable OCSP stapling. I now can view the site. @Leo thanks for rubber ducking with me. I appreciate it.
Can I have two or more Cloudflare Origin CA with the same domain name, and deploy a new one on a testing server?
Support AI
According to Cloudflare's documentation (https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#hostname-and-wildcard-coverage), you can have multiple Cloudflare Origin CA certificates for the same domain name, but each certificate must have a unique set of hostnames (SANs) or a unique private key.
However, it's not recommended to have multiple Cloudflare Origin CA certificates with the same domain name and the same set of hostnames (SANs). This can cause issues with certificate validation and may lead to errors.
If you want to deploy a new Cloudflare Origin CA certificate on a testing server, you can create a new certificate with a unique set of hostnames (SANs) or a unique private key. For example, you can create a new certificate for a subdomain like
test.example.com or staging.example.com.
Additionally, you can also use the same Cloudflare Origin CA certificate on multiple servers, as long as the certificate is properly installed and configured on each server.
It's worth noting that Cloudflare Origin CA certificates are tied to a specific zone, so if you want to use a Cloudflare Origin CA certificate on a testing server, the testing server must be part of the same zone as the production server.
In summary, while it's technically possible to have multiple Cloudflare Origin CA certificates for the same domain name, it's not recommended to have multiple certificates with the same set of hostnames (SANs). Instead, create a new certificate with a unique set of hostnames (SANs) or a unique private key for your testing server.Sources
Feedback
Feedback has been submitted! Thank you :)
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.