SSL FAQ

What is Universal SSL?
Universal SSL is  the name for the free Cloudflare SSL service. This allows for a low entry point (Free) for securing content in transit from attackers. 

Is there a difference between Universal SSL and SSL on a paid plan?

Yes, there are some subtle differences. The biggest difference is that Universal SSL uses SNI which is a relatively newer technology than what is used for our paid SSL. This can typically cause issues with older OS or browsers. See this FAQ for more details.

Does SSL work for hosting partners?

As of December 9, 2016, all new domains added to Cloudflare via partners have Free SSL enabled. In order to enable Free SSL for existing customers whose domains were added prior to December 9, 2016, it's necessary to delete and re-add the domain to be provisioned automatically.

SSL is available for partners through both CNAME and full DNS integrations. Please note that for a successful issuing process, the "www" subdomain should be proxying through Cloudflare (orange clouded), which will trigger the certificate to be issued. 

Are Cloudflare SSL certificates exportable?

No, the only exception to this is Origin CA certificates that are exportable so you can install on the origin server. Be aware that Origin CA certificates are untrusted outside of the Cloudflare network.

Are Cloudflare SSL certificates shared?

Universal SSL certificates are shared across multiple domains that may not be in your account. These are multi-domain SSL certificates. If you want only your domain on a certificate, we recommend the Cloudflare Dedicated SSL service.

What do the SSL options mean?

Your domain SSL option determines how Cloudflare connects to your server using encryption or not.

  • Flexible SSL:
    • SSL is terminated at the Cloudflare edge servers. Everything between your client and Cloudflare is encrypted, but traffic between Cloudflare and your origin server is not encrypted. You do not need a certificate directly installed on your server for full encryption.
  • SSL Full:
    • SSL is terminated at the Cloudflare edge server. Then it is encrypted again and sent back to your servers all encrypted. You need an SSL certificate installed directly on your server. Also, you may use a self-signed certificate.
  • SSL Full Strict:
    • Same as SSL Full, but you must have a trusted certificate that is signed by a valid Certificate Authority (such as GlobalSign or DigiCert).
  • Custom SSL (Business/Enterprise ONLY)
    • Customers are able to upload their own SSL key and certificate, so CloudFlare's name will not show if a visitor checks the certificate.

I have a certificate installed on my server, why am I seeing a Cloudflare certificate?

When you use Cloudflare, we must decrypt the data at our edge in order to cache and filter any bad traffic. Depending on the SSL setting from the options above, we may re-encrypt or send it as plain text. (full vs. flex) Since each certificate needs a dedicated IP address, we add your domain name and wildcard (*.domain.com) domain in the SAN (Subject Alternative Name) to the certificate.

I am seeing a error message when I visit my site over https, what's going on?
Before our SSL vendor can issue a certificate for your domain name, it needs to go through a vetting process. Depending on your plan, this may take anywhere from 15 minutes to 24 hours (paid vs. free). You can look at the status of your cert by going to the Cloudflare settings for the domain. You will see the status in an Authorizing, Pending, or Verified state.

It's been 24 hours since I signed up for Cloudflare and my certificate hasn't verified?

Your domain name may be flagged for additional review before our vendors will issue a certificate. Please create a ticket letting us know and we will reach out to our SSL vendor for further analysis.

I want Cloudflare to show my certificate when a client visits, how can I do that?
This is a premium feature available to our Business and Enterprise customers. For details, visit this guide

Why are my images/css/js files missing when I load my page over https?
This is typically an issue with SSL termination at the edge (i.e., Flexible SSL). The problem is that you're making a request for http resources on an https page. Most modern browsers block these requests from loading for security purposes. You can fix this by loading your assets relative to the protocol (HTTP/HTTPS.) The files path would look like this:
//domain.com/path/to.file
You can read more about this here.
Depending on your CMS, there may be modules/plugins to do this for you automatically. Cloudflare provides a means of doing so via Automatic HTTPS Rewrites.
If you're not sure this is the issue you're having, you can open Dev Tools in your browser and view the console tab. The error may looks something like this:

Mixed Content: The page at 'https://domain.com/' was loaded over HTTPS, but requested an insecure resource 'http://domain.com/path/to.file'. This request has been blocked; the content must be served over HTTPS.

  1. You can fix this by adding the relative protocol,
  2. or installing a certificate on your server and use Cloudflare Full SSL. 

SSL on my free plan isn't working in an old OS/Browser
Universal SSL uses SNI, a relatively new protocol that older operating systems or browsers do not support. You may get SSL untrusted errors on older versions of Windows, or even cURL (*nix).

If you do not want visitors on older browsers or operating systems to have issues accessing your site via https://, then  consider upgrading to a paid Cloudflare plan for broader operating system and browser support. 

How do I force my site to only use HTTPS/SSL?
You can use Page Rules to force all content to HTTPS using the "Always use HTTPS" feature. See this Tutorial on Page Rules. 

I'm seeing 52x errors
1. 525
A 525 error states that the SSL handshake between Cloudflare and the origin server that hosts the domain failed. This means that Cloudflare is set to use Full SSL in the Cloudflare settings for the domain, so Cloudflare attempts to make a connection using SSL (for requests beginning in https://) to server that hosts the domain.
Read more about this error here.
2. 526
The HTTP Error Response Code 526 occurs when Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the Cloudflare SSL configuration on the website is set to "Full SSL (Strict)".
Read more about this error here. 

What cipher suites does Cloudflare use?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;

Read more about this here. 

How do I install the certificate on my server?
The certificate that Cloudflare issues does not require you to install anything on your server. The certificate is only installed on Cloudflare. You can always create a self-signed certificate and use Full SSL (non-strict) to have end-to-end encryption of your site. For more information on Full SSL, read through this FAQ.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk