Menu
I've been really confused between cloudflare's ssl and using let's encrypt to have my website become full https.
Many sources say to use either or use both. However there is not a very decisive way to figure out whether to use both or just use one over the other.
In most cases, people love cloudflare because it is a free CDN. And it comes with a simple way of setting up SSL
However it looks like Let's Encrypt is the next big thing and it would be silly not to learn more about it.
Some people say that Cloudflare is enough.. http://community.rtcamp.com/t/letsencrypt-with-cloudflare/5659
Some have gone to extreme lengths to set up both https://medium.com/@benjamincaldwell/better-ssl-tls-certificates-from-lets-encrypt-with-nginx-and-cloudflare-9f01f89940cd#.tlhx6g5in
https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338?u=pfg
http://pushincome.com/cloudflare-lets-encrypt-free-ssl-setup-ubuntu-apache/
https://flurdy.com/docs/letsencrypt/nginx.html
I was wondering what was the best way to setup let's encrypt properly to use with cloudflare still as a CDN for my content.
Thanks.
837
You do not need to use LetsEncrypt if using Cloudflare, you can just use their Origin certificates.
As of today, the main objective downside of using a Let's Encrypt certificate is compatibility. This is an issue that any new CA faces when approaching the market. In order for a certificate to be trusted, it must be signed by a certificate that belongs to a trusted CA.
On October 19, 2015, the intermediate certificates became cross-signed by IdenTrust, causing all certificates issued by Let's Encrypt to be trusted by all major browsers.
Having a certificate that expires after 90 days will reduce the chances of someone exploiting any vulnerabilities that may occur. The second reason Let's Encrypt expires after such a short time is to minimize the impact of mis-issued certificates.
When you use Cloudflare then there are two parts to encrypt:
This means that you need two certificates for full encryption.
Cloudflare automatically provides you with the first one. This is the one that a user sees if they check the URL padlock.
There are various ways to deal with the Cloudflare > Server encryption. All of these are free.
Select Cloudflare's "flexible" SSL/TLS encryption mode. This does NOT encrypt the request from Cloudflare to your server, but the browser will show the green padlock and say the site is secure. Kind of obnoxious, if you aks me.
Use Lets Encrypt to install a cert on your server https://certbot.eff.org/lets-encrypt/ubuntufocal-apache. You can now set Cloudflare's SSL/TLS encryption mode to "Full(strict)". I decided NOT to go with this solution because the basic solution doesn't work with load balancers.
Install Cloudflare's Origin Certificate on your server. You can set its expiry to 15 years, which is nice (at least until 2035 when your have forgotten about this and your site breaks). Here are the Ubunto directions: Set up Ubuntu Apache2 SSL using .pem and .key from Cloudflare
You can also create and install your own origin certificate, which is apparently quite easy, but I haven't tried.
69
A chain is only as strong as its weakest link.
If you secure one channel but not the other you reduce the attack surface but the setup is still vulnerable. Your website traffic is still flowing in plain text, be it between a browser and Cloudflare servers or Cloudflare servers and your origin server.
It's just a matter of time, effort and luck before someone intentionally or accidentally steals, hijacks, impersonates, sniffs, eavedrops or man-in-the-middles.
Besides, you have all the tools to do a fully secure setup and they're all free.
This is a good overview of HTTP vs HTTPS and it lists some of the attacks HTTP is vulnerable to.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
