Hi,
I have some problems with the SSL certs for my websites and SSH using Cloudflare. I’ve tried many things, and never worked as I wanted.
Here my final trial, I give up, and need some help.
What I want:
Use Cloudflare Full or better Full (strict) mode for SSL
Use my own private key with SSH
What I did and checked:
SSH : Deleted all Let’sEncrypt folders in /etc/letsencrypt/live
CP : added my Cloudflare origin certificate and key in website1 /configuration/Add SSL (pasted cert and key)
CP : issued a Let’s Encrypt for website 1, not for website 2
SSH : in /etc/letsencrypt/live/website1/ I found the cert, privkey and full chain pem files (I think the fullchain is for steps 2+3), no /etc/letsencrypt/live/website2/ as I didn’t issued any SSL for this website
SSH : in /etc/SSL/certs I found my CloudFlare cert as a @a1b2c3d4 kind of file, a ssl-cert-snakeoil.pem file, and the two rsa and ecc certs form CloudFlare I put there since I read somewhere that maybe it was necessary and my first trials without them were unsuccessful
SSH : in /etc/SSL/keys I found the ssl-cert-snakeoil.key, which is my private key from Cloudflare
Results:
In Cloudflare Flexible mode, website2 (with no Let’s Encrypt SSL) works, but website1, which has the Let’s Encrypt cert, doesn’t (error 521)
In Cloudflare Full or Full (strict) modes, neither website works (error 521)
And it seems that I have problems using SSH with my own key (added in CP Secured SSH, I had to delete it), I can use SSH with password and IP address (not the domain name).
Can someone give me a little manual, or at least the steps for achieving this ?
Thanks a lot.
To attain what you need/require, all you have to do is just disable cloud proxy for your domain (all the entries) and then issue letsencrypt ssl for your domain from cyberpanel. After confirming the ssl is correctly issued,
You can now enable cloudflare proxy for the domain and then enable the strict mode ssl option of the cloudflare where it will issue their own ssl internally (this only works if your domain has valid ssl issued already (from letsencrypt here).
Thank you for your reply. I tried again form zero, all DNS in Cloudflare are “DNS only” (grey), removed all certs (CP and Clouflare) in /etc/ folders and reissued SSL. But still doesn’t work (for example “ERR_CERT_AUTHORITY_INVALID” error or SSL not found in some online SSL checkers).
I don’t want to show you all the steps. But the I realized that I forget to tell one (important) thing : I changed the port to 8443 (bypass cloudflare firewall). And read that port 8090 is hard coded. Maybe that’s the reason ?
Maybe I can start again from zero with the 2 following links, of course keeping your advice concerning Cloudflare proxy) ?
or (the rewrite rulkes are a little bit different)
Again, many thanks from a former CPanel and managed VPS user.
Just wanted to be sure, you need to achieve Cloudflare SSL mode to Full or is it you need to attain the Full (strict) mode? For strict mode you will then need to add the cloudflare origin certificate installed on server which doesn’t really makes anything better in security. Just for the sake of doing it, you can do it though.
I am using the Full mode on all my domains without any issues.
@tmoore Yes I’m using Cloudflare SSL, the problem is that if you don’t have a secure connection between Cloudflare and your server, Passwords and all sorts of information can be intercepted.
That’s why only Cloudflare’s FULL SSL option is completely secure, otherwise you’re vulnerable.
FULL requires a certificate in CF + on your SERVER
Yes, that’s what i meant.
Using the origin cert from cloudflare you dont care about the lets encrypt one.
So why are you asking about disabling proxy and such?
Did cyberpanel replaced your CF cloudflare?