Welcome to Centmin Mod Community
Register Now

SSL Letsencrypt Cloudflare SSL what is recommended configuration ZeroSSL Letsencrypt Cloudflare

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Dec 16, 2022.

  1. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    Hello @eva2000 I read at your blog:

    Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog

    I use Clodflare and API, what is the best method for now to allow access for older devices?



    Switching To ZeroSSL SSL Certificates from Letsencrypt?
    or/and

    Update #6 – Cloudflare Universal SSL Certificate Switch To Digicert


    What is recommended conviguration right now (end of 2022, 2023) for SSL for users who use Cloudflare?
     
  2. pdinh97qng

    pdinh97qng Member

    121
    15
    18
    Jan 24, 2016
    Ratings:
    +39
    Local Time:
    3:40 PM
    If you are using CloudFlare Free, then older devices wont be able to access your site. Let's encrypt, Zero SSL, or even a paid one won't have any affect on that as the only SSL certificate your customer see is the SSL issued by CloudFlare which only supports browsers and API clients that use the Server Name Indication (SNI). You have to upgrade to higher plan.
     
  3. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    Upgrade to Pro plan will help? Any extra steps?
     
  4. eva2000

    eva2000 Administrator Staff Member

    51,993
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    8:40 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yup need at least Cloudflare Pro plan in the past but now Cloudflare also use Letsencrypt SSL certs in their mix https://developers.cloudflare.com/ssl/reference/certificate-authorities/ so you need Cloudflare Advance Certificate Management which is a $10/month add on https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/ and create your own Advance Certificate using Google Trust CA provider specifically if you want real old device legacy support. FYI, Google Trust CA has a cross-signed CA cert for GTS Root R1 Cross which was created and deployed on devices from 20yrs ago. Cloudflare is deprecating Digicert SSL certificates

    If you want to test your old devices against Cloudflare with Google Trust CA SSL certificates you can try my WordPress blog site which is using such configuration at Centmin Mod Blog -. Edit actually you can't test old devices as I removed weak SSL ciphers from Cloudflare Advanced Certificate Management for my domain - Ssllabs test SSL Server Test: blog.centminmod.com (Powered by Qualys SSL Labs)
     
    Last edited: Dec 16, 2022
  5. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    Interesting is that domain signed by Cloudflare, Inc. sni.cloudflaressl.com I am able to open it on old tablet, but domain without proxy (grey not oragne) signed by Letencrypt - domain is not working on old tablet.

    I need to double check it.


    Do you have idea why on my other domain where I have a lot of subdomains there is not signed by signed by Cloudflare, Inc. sni.cloudflaressl.com and still i see that it is signed by Let's Encrypt ?
    This domain is proxied (orange).
     
  6. eva2000

    eva2000 Administrator Staff Member

    51,993
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    8:40 AM
    Nginx 1.25.x
    MariaDB 10.x
    SSL certificate used is only part of what makes up whether a device can browse a website. The other part is the web server's SSL configuration - SSL cipher choices on Cloudflare edge servers or Centmin Mod Nginx side that legacy devices first interact with. You can use SSLLabs tests to also inspect the server's SSL cipher supported configurations for various devices

    Without proxy means whether or not old device works is determined by origin server - Centmin Mod Nginx's SSL cipher configuration and SSL certificate chain. In which case the blog post at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog is most relevant for Cloudflare unproxied sites. So easiest solution for Cloudflare unproxied sites is to switch to ZeroSSL SSL certificates if you don't use Cloudflare in front How To Switch From Letsencrypt to ZeroSSL Free SSL Certificates On Centmin Mod - Centmin Mod Blog. This article also shows how you can use SSLLabs tests to inspect your domain's SSL certificate chain paths.

    However you may need to accept that some very old legacy devices just don't work. What devices are your users using?
     
    Last edited: Dec 17, 2022
  7. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    When I use floudflare should I also change to ZeroSSL or it doesent matter at all?

    I discovered by it, just I borrow old tablet (2014) and check my webiste, there was an error. connection
    I could not open the website. Then I read your blog.

    I use Cloudflare in front (orange/proxy on).

    It is interesting that other my test blog it is reachable from this tablet - the same server and the same Cloudflare in front.
     
  8. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    I need to correct it.

    Both domain are proxied (orange) but domainA is signed by Cloudflare - I can open it on old tablet
    DomainB (proxied/orage) I can no open on tablet - but it is signed as Letsencrypt.
     
  9. eva2000

    eva2000 Administrator Staff Member

    51,993
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    8:40 AM
    Nginx 1.25.x
    MariaDB 10.x
    That as I said is due to Letsencrypt SSL chain no longer supporting it due to expiry and renewal as outlined at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog and as per https://community.centminmod.com/th...ossl-letsencrypt-cloudflare.23541/#post-95438 for alternatives
     
  10. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    12:40 AM
    OK I understand but if is it normal that one domain is signed by Cloudflare and other by Letsencrypt?

    Both domains are proxied (orange).

    I am wondering why there is a difference?

    Because signing is randon or why?


    Am right that now when anybody want to use Cloudflare in front (orange) there is no workaround to have a free account and have SSL support for old devices?
     
    Last edited: Dec 17, 2022
  11. eva2000

    eva2000 Administrator Staff Member

    51,993
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    8:40 AM
    Nginx 1.25.x
    MariaDB 10.x
    Cloudflare Free accounts have no work arounds for supporting older devices out of the box. You need to pay for Advanced Certificate Management addon US$10/month to select Google Trust Servcies CA SSL certificates and then maybe alter Cloudflare default SSL cipher preferences to further allow weaker SSL Ciphers supported by old devices. I haven't done that myself only done the opposite, alter Cloudflare default SSL cipher preferences for more modern SSL ciphers and remove weak legacy device supported SSL ciphers (which I have done for centminmod.com domain).
    browsers and devices don't just read the SSL certificate but the entire SSL chain and it's chain in Letsencrypt that has changed after expiry of it's cross signed SSL certs outlined at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog. The new renewed one in it's place is more modern but that means older devices don't have the new modern SSL cert in it's CA trust store. Devices like made 15yrs ago that don't have any updates to CA trust store won't have the new modern SSL cert that renewal replaced from one that expired at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog. The solution for older devices from Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog is to switch to a SSL CA provider which still has a chain SSL certificate crossed signed by someone who has an old enough cert that is still trusted in older devices CA trust store. Digicert, ZeroSSL and Google Trust Services CA provided SSL certificates all have such old enough certs in the SSL chain that older devices still trust.

    Then on top of that there's server SSL cipher configuration as outlined at https://community.centminmod.com/th...ossl-letsencrypt-cloudflare.23541/#post-95449. So you can still have issues with old devices even with Digicert, ZeroSSL or Google Trust Services CA even if SSL cert is fine as your web server may have configured SSL ciphers too modern for older devices to support.

    This thread probably gone beyond regular Centmin Mod support that is provided as is. All the answers and solutions are laid out in this thread already ;) So really if you need more help, you probably need to pay to hire someone for this.