Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

let's encrypt vs cloudflare or both? [closed]

I've been really confused between cloudflare's ssl and using let's encrypt to have my website become full https.

Many sources say to use either or use both. However there is not a very decisive way to figure out whether to use both or just use one over the other.

In most cases, people love cloudflare because it is a free CDN. And it comes with a simple way of setting up SSL

However it looks like Let's Encrypt is the next big thing and it would be silly not to learn more about it.

Some people say that Cloudflare is enough.. http://community.rtcamp.com/t/letsencrypt-with-cloudflare/5659

Some have gone to extreme lengths to set up both https://medium.com/@benjamincaldwell/better-ssl-tls-certificates-from-lets-encrypt-with-nginx-and-cloudflare-9f01f89940cd#.tlhx6g5in

https://community.letsencrypt.org/t/how-to-get-a-lets-encrypt-certificate-while-using-cloudflare/6338?u=pfg

http://pushincome.com/cloudflare-lets-encrypt-free-ssl-setup-ubuntu-apache/

https://flurdy.com/docs/letsencrypt/nginx.html

I was wondering what was the best way to setup let's encrypt properly to use with cloudflare still as a CDN for my content.

Thanks.

like image 837
user805981 Avatar asked Mar 23 '17 01:03

user805981


People also ask

Do I need LetsEncrypt if I use Cloudflare?

You do not need to use LetsEncrypt if using Cloudflare, you can just use their Origin certificates.

Why would you not use Let's Encrypt?

As of today, the main objective downside of using a Let's Encrypt certificate is compatibility. This is an issue that any new CA faces when approaching the market. In order for a certificate to be trusted, it must be signed by a certificate that belongs to a trusted CA.

Can LetsEncrypt be trusted?

On October 19, 2015, the intermediate certificates became cross-signed by IdenTrust, causing all certificates issued by Let's Encrypt to be trusted by all major browsers.

Why is let's encrypt only 3 months?

Having a certificate that expires after 90 days will reduce the chances of someone exploiting any vulnerabilities that may occur. The second reason Let's Encrypt expires after such a short time is to minimize the impact of mis-issued certificates.


2 Answers

When you use Cloudflare then there are two parts to encrypt:

  1. From the user's browser to Cloudflare
  2. From Cloudflare to your server

This means that you need two certificates for full encryption.

Cloudflare automatically provides you with the first one. This is the one that a user sees if they check the URL padlock.

There are various ways to deal with the Cloudflare > Server encryption. All of these are free.

  1. Select Cloudflare's "flexible" SSL/TLS encryption mode. This does NOT encrypt the request from Cloudflare to your server, but the browser will show the green padlock and say the site is secure. Kind of obnoxious, if you aks me.

  2. Use Lets Encrypt to install a cert on your server https://certbot.eff.org/lets-encrypt/ubuntufocal-apache. You can now set Cloudflare's SSL/TLS encryption mode to "Full(strict)". I decided NOT to go with this solution because the basic solution doesn't work with load balancers.

  3. Install Cloudflare's Origin Certificate on your server. You can set its expiry to 15 years, which is nice (at least until 2035 when your have forgotten about this and your site breaks). Here are the Ubunto directions: Set up Ubuntu Apache2 SSL using .pem and .key from Cloudflare

  4. You can also create and install your own origin certificate, which is apparently quite easy, but I haven't tried.

like image 69
user984003 Avatar answered Oct 16 '22 13:10

user984003


A chain is only as strong as its weakest link.

If you secure one channel but not the other you reduce the attack surface but the setup is still vulnerable. Your website traffic is still flowing in plain text, be it between a browser and Cloudflare servers or Cloudflare servers and your origin server.

It's just a matter of time, effort and luck before someone intentionally or accidentally steals, hijacks, impersonates, sniffs, eavedrops or man-in-the-middles.

Besides, you have all the tools to do a fully secure setup and they're all free.

  • Cloudflare-issued or LetsEncrypt certificate to secure communication to your website/API.
  • Cloudflare-issued or LetsEncrypt certificate to secure communication to your origin server.

This is a good overview of HTTP vs HTTPS and it lists some of the attacks HTTP is vulnerable to.

like image 29
Max Ivanov Avatar answered Oct 16 '22 13:10

Max Ivanov