184.108.40.206.4. Installing SSL from Cloudflare
Obtaining an SSL certificate from Let`s encrypt is very difficult or not possible at all when using CloudFlare. We strongly recommend not to install it and use the certificate provided by CloudFlare.
To correctly configure an SSL certificate using Cloudflare, you need:
Configuring a certificate
To set up a certificate on the Cloudflare side and then create a certificate for hosting, you need to:
- Signin to your Cloudflare account.
- Go to section «SSL/TLS»:
- In chapter «Overview» select the appropriate principle of operation of the certificate (it is recommended to choose «Full (strict)», in the following, the process of setting it up will be described):
- «Flexible» — data is encrypted only between the client and Cloudflare. In this case, the installation of a certificate for the hosting is not required, but you need to disable all methods of redirecting the site to HTTPS within the hosting and site. (Not recommended.)
- «Full» — data is encrypted both between the client and Cloudflare, and between Cloudflare and the hosting. On the hosting side, you can install self-signed certificate... This method may be less secure than the next one due to the lack of certificate validation on the hosting side. (Not recommended.)
- «Full (strict)» — data is encrypted both between the client and Cloudflare, and between Cloudflare and the hosting. The difference between this method and the previous one is that on the Cloudflare side, you will need to write your own certificate for hosting, which will be checked for validity in the future, and installed, which will be more secure, unlike other methods. (Recommended method.)
- After choosing how encryption works, go to the section «Origin server» and press «Create Certificate»:
- Specify the data for creating a certificate:
- Pleaseselect «Let Cloudflare generate a private key and a CSR» (creating a CSR request from Cloudflare).
- Specify the required domains and subdomains to be included in the certificate.
- Select a certificate expiration date.
- Click «Next».
- Do not close the window that opens before completing all the actions. Against «Key format» choose «PEM (Default)»and then copy the following certificate and key into different files (file extension can be any).
- Install the certificate on the hosting using the generated files.