All of the websites I manage use cPanel, which also offers free SSL certificates. However, some of these domains use Cloudflare for their DNS, and they also get their SSL certificates from Cloudflare itself.
For these websites, cPanel's AutoSSL feature normally fails at renewal time. I see several questions online that ask how to make sure AutoSSL works when Cloudflare is in the picture (and the solution require either editing the .htaccess file for the website, or temporarily disable Cloudflare's SSL so the AutoSSL feature can complete successfully).
My question is a different one: if I get an SSL certificate from Cloudflare already, do I even need cPanel's AutoSSL feature? Is there any scenario where I would benefit from making sure that cPanel's AutoSSL correctly renews all certificates anyway?
When you use cloudflare there are two connections to your website because Cloudflare acts as a proxy in the middle:
User ------> Cloudflare ------> Origin (cPanel)
Cloudflare will enable SSL between the user and Cloudflare but may leave the connection to the origin unencrypted:
User ======> Cloudflare ------> Origin
If you have SSL on the origin as well, both connections will be encrypted:
User ======> Cloudflare ======> Origin
You have several options for encrypting traffic to the origin:
- Use AutoSSL to get a LetsEncrypt certificate. These certificates expires every few months but get auto-renewed and re-installed.
- Get an origin certificate from CloudFlare that it trusts (but which users may not trust.) These certificates expire every 10 years and need to be manually installed.
- Use a self signed certificate which doesn't allow you enable strict SSL mode at Cloudflare and could be vulnerable to a forgery attack.
AutoSSL is LetsEncrypt for cPanel. LetsEncrypt uses an automatic challenge response to verify that you are the owner of the domain:
- cPanel contacts LetsEncrypt and requests a certificate for a domain
- LetsEncrypt gives cPanel unique data to publish at a specific URL (under /.wellknown/acme-challenge/
- cPanel publishes the data
- LetsEncrypt validates that the data has been published, sees that you have control over domain, and gives cPanel the certificate.
When you have Cloudflare, all the requests first hit Cloudflare before hitting your website. Cloudflare should pass through the Acme Challenge requests and you should be able to get a LetsEncrypt certificate, even when Cloudflare is in the middle.
+
1 8 8
-
10-01-2021, 01:13 #5Status
- Offline
- Apr 2014
- Egypt
- 4,677
Engineering and Technology
- 10
: CloudFlare AuotSSL
------------------------------------------------------------------------
Rise Company for Engineering & Technology
------------------------------------------------------------------------
Web Hosting | Web Designing | E-Marketing
# 1 Business Services
Web Hosting - Business Emails
Web Design - Google Adwords
www.rise.company | www.rise.company/emails
:
! .
-
Whmcs AUTO LOGOUT CloudFlare
Rise Company Whmcs: 0: 21-12-2020, 02:03 -
CloudFlare email stopped working
Rise Company CloudFlare: 0: 16-12-2020, 06:25 -
CloudFlare CSF visitors original IP
Rise Company CloudFlare: 0: 16-12-2020, 01:33 -
CloudFlare mod_cloudflare mod_remoteip ip
Rise Company CloudFlare: 0: 16-12-2020, 00:46 -
CloudFlare CDN
Rise Company CloudFlare: 0: 14-12-2020, 16:21
-
Digg
-
del.icio.us
-
StumbleUpon
-
Google
