AutoSSL & Cloudflare - What's the Deal?
- I'm using Cloudflare for my domains = my DNS is hosted on Cloudflare + records are proxied through Cloudflare (records resolve to Cloudflare IPs)
- I'm using Cloudflare with Strict mode = both Cloudflare (Edge) server and Origin (My) server talk to visitors through SSL.
- Cloudflare provides the edge server SSL and I can choose to use Cloudflare or AutoSSL as my origin server SSL provider.
- Since Cloudflare proxies my DNS records (they resolve to different IPs than my server's IP) AutoSSL complaints during the issuing of the SSLs.
- To fix the issue This article advises to just stop using AutoSSL and use Cloudflare Origin SSLs, which are self-signed but aren't a problem since they aren't served directly to visitors.
- Either [COLOR=rgb(41, 105, 176)]ditch AutoSSL in favor of Cloudflare Origin SSLs or [COLOR=rgb(184, 49, 47)]keep AutoSSL and turn off Cloudflare redirection settings before each AutoSSL renewal and/or don't proxy DNS records.
- The Common Name (CN) field in an SSL, although cosmetic, lists some other domain from your cPanel account. For example, when you check site.com's SSL in the browser it lists example.net as the CN. It looks like if you turn on AutoSSL to generate SSLs for a bunch of domains at once it will mix and match sub/domains from all over the place. Those default subdomains of your main domain (dreadful cPanel's legacy problem) on top of which cPanel parks your addon domains also create even higher confusion, where 2 SSLs are needed to logically protect one website. Since the website is an AddonDomain.com and at the same SubDomain.MainDomain.com. One of those SSLs is attached to AddonDomain.com and the other one to MainDomain.com.
-
Hey hey! That all sounds right to me - you'd have to either change the SSL plan, or disable the redirection as AutoSSL doesn't support any type of redirection in order for it to verify the cert properly. The common name field issue is known as well, but with the way the certificates are issued there isn't really a good way around it. 0 -
So we're talking about HTTPS redirection defined anywhere: Edge or Origin (Apache Includes, WHM, cPanel, .htaccess, website scripts)? Any redirection would interfere with AutoSSL's issuing and renewing? Don't forget that AutoSSL's DV process depends on DNS resolving to the server's IP address, so proxying of any kind is also a no-no. 0 -
If Cloufflare, Then Disable AutoSSL. Save. 0 -
I'm giving up on AutoSSL for now in favor of Cloudflare Origin certificates. These are the reasons: - Incompatible with HTTP to HTTPS redirect
- Incompatible with Cloudflare proxy
- CN and wildcard domain stew
0
Please sign in to leave a comment.
Comments
5 comments