sslnginxhttpscloudflarelets-encrypt

let's encrypt vs cloudflare or both?

I've been really confused between cloudflare's ssl and using let's encrypt to have my website become full https.

Many sources say to use either or use both. However there is not a very decisive way to figure out whether to use both or just use one over the other.

In most cases, people love cloudflare because it is a free CDN. And it comes with a simple way of setting up SSL

However it looks like Let's Encrypt is the next big thing and it would be silly not to learn more about it.

Some people say that Cloudflare is enough.. http://community.rtcamp.com/t/letsencrypt-with-cloudflare/5659

Some have gone to extreme lengths to set up both https://medium.com/@benjamincaldwell/better-ssl-tls-certificates-from-lets-encrypt-with-nginx-and-cloudflare-9f01f89940cd#.tlhx6g5in

https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338?u=pfg

http://pushincome.com/cloudflare-lets-encrypt-free-ssl-setup-ubuntu-apache/

https://flurdy.com/docs/letsencrypt/nginx.html

I was wondering what was the best way to setup let's encrypt properly to use with cloudflare still as a CDN for my content.

Thanks.

Solution

  • When you use Cloudflare then there are two parts to encrypt:

    1. From the user's browser to Cloudflare
    2. From Cloudflare to your server

    This means that you need two certificates for full encryption.

    Cloudflare automatically provides you with the first one. This is the one that a user sees if they check the URL padlock.

    There are various ways to deal with the Cloudflare > Server encryption. All of these are free.

    1. Select Cloudflare's "flexible" SSL/TLS encryption mode. This does NOT encrypt the request from Cloudflare to your server, but the browser will show the green padlock and say the site is secure. Kind of obnoxious, if you aks me.

    2. Use Lets Encrypt to install a cert on your server https://certbot.eff.org/lets-encrypt/ubuntufocal-apache. You can now set Cloudflare's SSL/TLS encryption mode to "Full(strict)". I decided NOT to go with this solution because the basic solution doesn't work with load balancers.

    3. Install Cloudflare's Origin Certificate on your server. You can set its expiry to 15 years, which is nice (at least until 2035 when your have forgotten about this and your site breaks). Here are the Ubunto directions: https://stackoverflow.com/a/65541021/984003

    4. You can also create and install your own origin certificate, which is apparently quite easy, but I haven't tried.

    Aug 2023 update: I went with option 3 and it's still working years later. I just noticed that the URL padlock says that the cert is Lets Encrypt and that it's only valid for three months. I guess this is what Cloudflare uses for the browser > Cloudflare part and that they handle updating it. I've never had to. I think it used to say that it was a Cloudflare cert.