SSL problems using Cloudflare

Hi,
I have some problems with the SSL certs for my websites and SSH using Cloudflare. I’ve tried many things, and never worked as I wanted.
Here my final trial, I give up, and need some help.

What I want:

  • Use Cloudflare Full or better Full (strict) mode for SSL
  • Use my own private key with SSH

What I did and checked:

  • SSH : Deleted all Let’sEncrypt folders in /etc/letsencrypt/live
  • CP : added my Cloudflare origin certificate and key in website1 /configuration/Add SSL (pasted cert and key)
  • CP : issued a Let’s Encrypt for website 1, not for website 2
  • SSH : in /etc/letsencrypt/live/website1/ I found the cert, privkey and full chain pem files (I think the fullchain is for steps 2+3), no /etc/letsencrypt/live/website2/ as I didn’t issued any SSL for this website
  • SSH : in /etc/SSL/certs I found my CloudFlare cert as a @a1b2c3d4 kind of file, a ssl-cert-snakeoil.pem file, and the two rsa and ecc certs form CloudFlare I put there since I read somewhere that maybe it was necessary and my first trials without them were unsuccessful
  • SSH : in /etc/SSL/keys I found the ssl-cert-snakeoil.key, which is my private key from Cloudflare

Results:

  • In Cloudflare Flexible mode, website2 (with no Let’s Encrypt SSL) works, but website1, which has the Let’s Encrypt cert, doesn’t (error 521)
  • In Cloudflare Full or Full (strict) modes, neither website works (error 521)
  • And it seems that I have problems using SSH with my own key (added in CP Secured SSH, I had to delete it), I can use SSH with password and IP address (not the domain name).

Can someone give me a little manual, or at least the steps for achieving this ?
Thanks a lot.

You are doing it wrong.

To attain what you need/require, all you have to do is just disable cloud proxy for your domain (all the entries) and then issue letsencrypt ssl for your domain from cyberpanel. After confirming the ssl is correctly issued,
You can now enable cloudflare proxy for the domain and then enable the strict mode ssl option of the cloudflare where it will issue their own ssl internally (this only works if your domain has valid ssl issued already (from letsencrypt here).

Thank you for your reply. I tried again form zero, all DNS in Cloudflare are “DNS only” (grey), removed all certs (CP and Clouflare) in /etc/ folders and reissued SSL. But still doesn’t work (for example “ERR_CERT_AUTHORITY_INVALID” error or SSL not found in some online SSL checkers).
I don’t want to show you all the steps. But the I realized that I forget to tell one (important) thing : I changed the port to 8443 (bypass cloudflare firewall). And read that port 8090 is hard coded. Maybe that’s the reason ?
Maybe I can start again from zero with the 2 following links, of course keeping your advice concerning Cloudflare proxy) ?

or (the rewrite rulkes are a little bit different)

Again, many thanks from a former CPanel and managed VPS user.

Just wanted to be sure, you need to achieve Cloudflare SSL mode to Full or is it you need to attain the Full (strict) mode? For strict mode you will then need to add the cloudflare origin certificate installed on server which doesn’t really makes anything better in security. Just for the sake of doing it, you can do it though.

I am using the Full mode on all my domains without any issues.

Hi! Do we need to run any SSH commands to install Cloudflare certificates on the server? Or are you referring to simply adding SSL via CyberPanel?

you mean… using full mode
8090 worked
mail ssl worked ?

When the SSL certificate on CyberPanel expires, do you need to turn off Proxy for all your domains again?

Is there no way to replace this routine?

Why am I here?
I installed immunify360 and when it got active it crashed all sites giving Cloudflare SSL Handshake error (525):

image

If it is necessary to keep disabling the proxy on 30 domains every 3 months, that’s pretty irrational, right?

If you are using cloudflare, why not use cloudflare ssl instead? Saves you all the hassle

@tmoore Yes I’m using Cloudflare SSL, the problem is that if you don’t have a secure connection between Cloudflare and your server, Passwords and all sorts of information can be intercepted.

That’s why only Cloudflare’s FULL SSL option is completely secure, otherwise you’re vulnerable.

FULL requires a certificate in CF + on your SERVER

Yes, that’s what i meant.
Using the origin cert from cloudflare you dont care about the lets encrypt one.
So why are you asking about disabling proxy and such?
Did cyberpanel replaced your CF cloudflare?

If so, disable the acme cron to prevent it.