Can't Verify CloudFlare Certificate

ChrisC · January 4, 2016, 1:20am

After an entire day spent tackling Roots (each day I hit road blocks but with the help of the community each day I’ve gotten a little further). After a lot of guidance from “fullyint” I was able to successfully deploy to DigitalOcean. Logged into DO and I see all the files there and the nginx server blocks all look right and everything which is great.

But when I go to the website which is https only, in both safari and chrome it says it can’t verify the the identity of the website. That the certificate expires in 2025 and “This root certificate is not trusted.” If I trust it manually site works.

I like most devs I assume, use CloudFlare for DNS which automatically provides SSL and has worked smoothly and automatically for all sites I’ve used before, but this is the the first site using CloudFlare SSL with a Roots Deployment. I use the default “Flexible SSL” option which doesn’t require a certificate on the server, but wondering if the Roots setup requires SSL on the server and to then change CloudFlare SSL setting to Full SSL or Full Strict SSL.

I’ll investigate but thought I’d check to see if anyone has any experience with CloudFlare and Roots and the recommended SSL setup assuming the normal flexible option doesn’t work out the box. Thanks!

Update - changing from flexible to full in CloudFlare causes site to load in Safari without a problem. Curious how that would work, since it requires certificate on server and I haven’t added one, unless that automatically happens during trellis deployment? In Chrome it now loads, but https is in red and says:

Your connection to dadduo.com is encrypted using a modern cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_ECDSA as the key exchange mechanism.

ChrisC · January 4, 2016, 1:30am

Weird. I tried the page on another computer and had the same issue. But all the sudden just clicked refresh again and now loading without a problem, no red errors on the lock icon.

Guess the takeaway is that it sounds like Full SSL (not the default Flexible SSL) is required when using with CloudFlare. And if after you make the change, may just take time for it to fully take effect.

swalkinshaw · January 4, 2016, 1:37am

Just for reference, did you set ssl: true in your Trellis config? It looks like the basic CloudFlare SSL does that all for you which means your server doesn’t need anything to do with SSL on it (so you’d leave ssl: false in Trellis).

ChrisC · January 4, 2016, 1:39am

Yes, I set ssl: true.

Looks like I can leave that to true and set CloudFlare to Full SSL and all is good. Though good to know that flexible will work if ssl is set to false in trellis. Thanks!

Simeon · May 9, 2016, 12:10am

I had infinite redirect loop issues with Cloudflare’s SSL clashing with the Let’s Encrypt SSL. Ended up disabling the one on Cloudflare and it instantly fixed.

louisnovick · August 26, 2016, 3:17pm

Out of curiosity did you have an ssl certificate on your server after switching to cloudflare full ssl? Or did it just work with no ssl config at all on your server?

TangRufus · September 16, 2017, 2:18pm

You need a ssl certificate (valid or not doesn’t matter) on your server when switching to Cloudflare full (but not strict) ssl.

If you switched to “full strict”, you need a valid ssl certificate, get one from letsencrypt or Cloudflare Origin CA (there is a role for that)

full vs full strict:

Which one to use? Use strict whenever possible.