Cloudflare and third party SSL, not possible?

[badstraw360]

I want to enable ssl on my xenforo domain, but...

I see that I need to get a business account if I want to use cloudflare with a third party SSL certificate, so is there a way that I can have both working at the same time?

My host provides cloudflare integration via cpanel and I don't really need a business account right now.

What alternatives do I have?

Thanks for the input guys.

 

[Pierce]

Cloudflare does ssl as part of every plan.

You don't even need to buy a cert.

 

[badstraw360]

This is what I see on my control panel... Do you know how to enable the certificate?

 

[Anthony Parsons]

You need to be asking cloudflare this question, not here. Cloudflare does free ssl and you can use cloudflare with your own ssl installed at your host if you want.

 

[Pierce]

https://support.cloudflare.com/hc/e...able-Free-SSL-under-CloudFlare-cPanel-plugin-

This looks like your host needs to request it.

 

[badstraw360]

Thanks guys..

I talked to cloudflare and it seems that they provide free shared certificates and I don't know why my host told me that cloudflare doesn't work with third party certificates..

I think I'm going to talk to them again to see what's going on..

 

[Pierce]

Well you got a confirmation from 2 guys that they should be free

You can also register an account direct with cloudflare for free and check it out that way too! But in order to use their services you need to transfer your DNS to them too.

 

[Anthony Parsons]

I don't know why my host told me that cloudflare doesn't work with third party certificates..

Because your host probably want to sell you their certificates and get a commission from you. Or they just suck and don't understand the very business that they work within. Cloudflare is the largest DNS / CDN / NGINX reverse proxy out there, everyone else aspires to be them. Why a host wouldn't know of their workings... usually says amateur or ripoff.

 

[badstraw360]

Ok, i have the SSL option enabled now..



I enabled a let's encrypt certificate for my domain, but If I try to go to https://mywebsite.com , I get a blank page.. I even changed the board URL, but it doesn't make any difference.

I would really appreciate any help to see if Im doing it wrong..

 

[Pierce]

try flexiable and see if that works

 

[badstraw360]

Nope, still nothing..

I added this code to config.php

$_SERVER['HTTPS'] = 'on';

But all I see is text, and I get the same http version of the site.

Also I tried to modify the htaccess with this code:

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

It redirects to https , but I still get a blank page.

Now that I reverted the changes, I have to delete the cache on my browser to access the http version of the site because it keeps redirecting to an https version which doesn't work.

Im afraid that the users would think that the site went offline until they delete the cookies and cache on their browser.. How can I prevent that from happening in the meantime?

 

[Pierce]

So you see... The text but no formatting?

Check board URL (needs https)

 

[badstraw360]

Yeah I see text but no formatting, but it doesn't make any difference when I change the board URL to https which is odd.

I checked the SSL certificate to see if its working using sslshopper.com, and the certificate seems to be working because I get all the check marks in green. I don't know what else I need to do at this point.

I appreciate your help.

 

[Pierce]

Using chrome or Firefox, turn on the developer mode and see the different tabs to see what's happening

 

[Robru]

 

[Brent W]

Can I ask why not just use CloudFlare's free certificate? It seems much more simple to use theirs. Their default issue length is 15 years and gives you an A+ rating when setup properly with Nginx and CloudFlare. Not sure about the setup process for Apache as compared to Nginx though.

This site is using CloudFlare's certificates: https://www.ssllabs.com/ssltest/analyze.html?d=www.religiousforums.com&latest

This shows you how to at least do the CloudFlare part, I can't help with the Apache side of it.

 

[badstraw360]

Using chrome or Firefox, turn on the developer mode and see the different tabs to see what's happening

I reverted the changes (http again), and to access the http version I had to delete the cache on my browser because no matter what it keeps redirecting to an https version that doesn't work. I don't know if I'm being paranoid but today I see a decrease in traffic.
Do you think that it was just my browser, or the certificate enabled some type of STS? (strict transport security age) please check this link.

This is a great explanation about hsts and lets encrypt

Im afraid that the users would think that the site went offline until they delete the cookies and cache on their browser like I did.. How can I prevent that from happening in the meantime? Or am I ok?

View attachment 144915

Great.. would you be able to help me? I'm a little lost.

Can I ask why not just use CloudFlare's free certificate? It seems much more simple to use theirs. Their default issue length is 15 years and gives you an A+ rating when setup properly with Nginx and CloudFlare. Not sure about the setup process for Apache as compared to Nginx though.

This site is using CloudFlare's certificates: https://www.ssllabs.com/ssltest/analyze.html?d=www.religiousforums.com&latest

This shows you how to at least do the CloudFlare part, I can't help with the Apache side of it.

View attachment 144935

I tried to use the "flexible" SSL option, which means that I don't need to get my own certificate but it doesn't work, or at least I'm doing something wrong.

I checked the same lets encrypt certificate on my domain and I get an A.



I would appreciate your help guys... I really need some help.

 

[Anthony Parsons]

gives you an A+ rating when setup properly with Nginx and CloudFlare. Not sure about the setup process for Apache as compared to Nginx though.

When using Cloudflare, it doesn't matter what you use at your server, as the DNS is cloudflare, thus everyone should get an A+ because the IP is cloudflare, hence using it.

You don't need Nginx with cloudflare, as cloudflare IS Nginx and does exactly the same thing as using it at your server. You're just adding additional problems into your server. Use Nginx without cloudflare, absolutely... with it, not necessary.

SSL

Create your signing request (your server), add it at cloudflare, copy your certificate (from cloudflare), paste it (your server), then if you also need the CA bundle, you use (paste into your server): https://support.cloudflare.com/hc/e...thorities-CAs-used-with-CloudFlare-Origin-CA-

 

[Brent W]

When using Cloudflare, it doesn't matter what you use at your server, as the DNS is cloudflare, thus everyone should get an A+ because the IP is cloudflare, hence using it.

It does matter. You can use CloudFlare DNS and still use different certificates.

You don't need Nginx with cloudflare, as cloudflare IS Nginx and does exactly the same thing as using it at your server. You're just adding additional problems into your server. Use Nginx without cloudflare, absolutely... with it, not necessary.

Yes it does matter. Nginx still serves all my files and connects with PHP. It is a web server in the same way Apache is.

 

[Brent W]

I reverted the changes (http again), and to access the http version I had to delete the cache on my browser because no matter what it keeps redirecting to an https version that doesn't work. I don't know if I'm being paranoid but today I see a decrease in traffic.
Do you think that it was just my browser, or the certificate enabled some type of STS? (strict transport security age) please check this link.

This is a great explanation about hsts and lets encrypt

Im afraid that the users would think that the site went offline until they delete the cookies and cache on their browser like I did.. How can I prevent that from happening in the meantime? Or am I ok?


Great.. would you be able to help me? I'm a little lost.



I tried to use the "flexible" SSL option, which means that I don't need to get my own certificate but it doesn't work, or at least I'm doing something wrong.

I checked the same lets encrypt certificate on my domain and I get an A.

View attachment 144942

I would appreciate your help guys... I really need some help.

Unfortunately I have zero experience with Lets Encrypt and only a few Apache SSL configurations under my belt.