SSL FAQ

What is Universal SSL?
Universal SSL is simply the name for our free SSL service. This allows for a low entry point (Free) into securing their content in transit from attackers. 

Is there a difference between Universal SSL and SSL on a paid plan?

Yes, there are subtle differences that are typically should not be noticeable by your clients. The biggest difference is that Universal SSL uses SNI which is a relatively newer technology than what is used for our paid SSL. This can typically cause issues with older OS or browsers. This is explained through this FAQ.

Does SSL work for hosting partners?

As of December 9, 2016 all new domains added to Cloudflare via partners have Free SSL enabled. In order to enable Free SSL for existing customers whose domains were added prior to December 9, 2016 it's necessary to delete and re-add the domain to be provisioned automatically.

SSL is available for partners through both CNAME and full DNS integrations. Please note that for a successful issuing process, the "www" subdomain should be proxying through Cloudflare (orange clouded), which will trigger the certificate to be issued. 

What does flex and full SSL mean?

  • Flexible SSL:
    • SSL is terminated at the Cloudflare edge servers. Everything between your client and Cloudflare is encrypted, but between Cloudflare and your origin server is not encrypted. You would not need a certificate directly installed on your server for full encryption.
  • SSL Full:
    • SSL is terminated at the Cloudflare edge server. Then it is encrypted again, and sent back to your servers all encrypted. You would need an SSL certificate installed directly on your server for this option. You can also use a self-signed certificate for this option.
  • SSL Full (strict):
    • Same as SSL Full, but you must have a certificate that is signedby a CA (Certificate Authority), such as GlobalSign.
  • Custom SSL (Business/Enterprise ONLY)
    • Customers on these plans are able to upload their own SSL key and certificate, so CloudFlare's name will not show if a visitor checks the certificate.

I have a certificate installed on my server, why am I seeing a Cloudflare certificate?

When you use Cloudflare, we must decrypt the data at our edge in order to cache and filter any bad traffic. Depending on the SSL settings from above, we may re-encrypt or send it as plain text. (full vs flex) Since each certificate needs a dedicated IP address, we add your domain name and wildcard (*.domain.com) domain in the SAN (Subject Alt Name) to the certificate.

I am seeing a error message when I visit my site over https, what's going on?
In order for our SSL vendor to issue the certificate for your domain name, it needs to go through a vetting process before issuing a certificate. Depending on your plan this may take anywhere from 15 minutes to 24 hours (paid vs. free). You can look at the status of your cert by going to the Cloudflare settings for the domain. You will see the status in an Authorizing, Pending, or Verified state.

It's been 24 hours since I signed up for Cloudflare and my certificate hasn't verified?

Your domain name may be flagged for additional review before our vendors will issue a certificate. Please create a ticket letting us know and we will reach out to our SSL vendor for further analysis.

I want Cloudflare to show my certificate when a client visits, how can I do that?
This is a premium feature available to our Business and Enterprise customers. You can follow this guide here.

 

Why are my images/css/js files missing when I load my page over HTTPS?
This is typically an issue with SSL termination at the edge (AKA Flexible SSL.) The problem is that you're making request for http assets on an https page. Most modern browser will block these request from loading for security purposes. You can fix this by loading your assets relative to the protocol (HTTP/HTTPS.) The files path would look like this:
//domain.com/path/to.file
Great read on this here.
Depending on your CMS, there may be modules/plugins to do this for you automatically. Cloudflare provides a means of doing so via Automatic HTTPS Rewrites.
If you're not sure this is the issue you're having, you can open up Dev Tools in your browser and view the console tab. The error may looks something like this:

Mixed Content: The page at 'https://domain.com/' was loaded over HTTPS, but requested an insecure resource 'http://domain.com/path/to.file'. This request has been blocked; the content must be served over HTTPS.

  1. You can fix this by adding the relative protocol
  2. or install a certificate on your server and use the full ssl option.

 

SSL on my free plan isn't working on an old OS/Browser
Universal SSL uses SNI, a relatively new protocol that older operating systems or browsers do not support. You may get SSL untrusted errors on older versions of Windows, or even cURL (*nix).

If you do not want visitors on older browsers or operating systems from having issues accessing your site via https://, then you should consider upgrading to a paid Cloudflare plan for broader operating system and browser support.

 

How do I force my site to only use HTTPS/SSL?
You can use PageRules to force all content to HTTPS using the "Always use HTTPS" feature. Tutorial on pagerules.

 

I'm seeing 52x errors
1. 525
A 525 error states that the SSL handshake between Cloudflare and the origin server that hosts the domain failed. This means that Cloudflare is set to use Full SSL in the Cloudflare settings for the domain, so Cloudflare attempts to make a connection using SSL (for requests beginning in https://) to server that hosts the domain.
More Info here.
2. 526
The HTTP Error Response Code 526 occurs when Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the Cloudflare SSL configuration on the website is set to "Full SSL (Strict)".
More info here.

 

What cipher suites does Cloudflare use?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;

Additional info here.

 

How do I install the certificate on my server?
The certificate that Cloudflare issues does not require you to install anything on your server. The certificate is only installed on Cloudflare. You can always create a self-signed certificate and use Full SSL (NON STRICT) to have end-to-end encryption of your site. For more on Full SSL, please look through this FAQ to find out what this option means.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk