SSL Letsencrypt Cloudflare SSL what is recommended configuration ZeroSSL Letsencrypt Cloudflare

Yup need at least Cloudflare Pro plan in the past but now Cloudflare also use Letsencrypt SSL certs in their mix https://developers.cloudflare.com/ssl/reference/certificate-authorities/ so you need Cloudflare Advance Certificate Management which is a $10/month add on https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/ and create your own Advance Certificate using Google Trust CA provider specifically if you want real old device legacy support. FYI, Google Trust CA has a cross-signed CA cert for GTS Root R1 Cross which was created and deployed on devices from 20yrs ago. Cloudflare is deprecating Digicert SSL certificates

If you want to test your old devices against Cloudflare with Google Trust CA SSL certificates you can try my WordPress blog site which is using such configuration at Centmin Mod Blog -. Edit actually you can't test old devices as I removed weak SSL ciphers from Cloudflare Advanced Certificate Management for my domain - Ssllabs test SSL Server Test: blog.centminmod.com (Powered by Qualys SSL Labs)

 

SSL certificate used is only part of what makes up whether a device can browse a website. The other part is the web server's SSL configuration - SSL cipher choices on Cloudflare edge servers or Centmin Mod Nginx side that legacy devices first interact with. You can use SSLLabs tests to also inspect the server's SSL cipher supported configurations for various devices

Without proxy means whether or not old device works is determined by origin server - Centmin Mod Nginx's SSL cipher configuration and SSL certificate chain. In which case the blog post at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog is most relevant for Cloudflare unproxied sites. So easiest solution for Cloudflare unproxied sites is to switch to ZeroSSL SSL certificates if you don't use Cloudflare in front How To Switch From Letsencrypt to ZeroSSL Free SSL Certificates On Centmin Mod - Centmin Mod Blog. This article also shows how you can use SSLLabs tests to inspect your domain's SSL certificate chain paths.

However you may need to accept that some very old legacy devices just don't work. What devices are your users using?

 

That as I said is due to Letsencrypt SSL chain no longer supporting it due to expiry and renewal as outlined at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog and as per https://community.centminmod.com/th...ossl-letsencrypt-cloudflare.23541/#post-95438 for alternatives

 

Cloudflare Free accounts have no work arounds for supporting older devices out of the box. You need to pay for Advanced Certificate Management addon US$10/month to select Google Trust Servcies CA SSL certificates and then maybe alter Cloudflare default SSL cipher preferences to further allow weaker SSL Ciphers supported by old devices. I haven't done that myself only done the opposite, alter Cloudflare default SSL cipher preferences for more modern SSL ciphers and remove weak legacy device supported SSL ciphers (which I have done for centminmod.com domain).

browsers and devices don't just read the SSL certificate but the entire SSL chain and it's chain in Letsencrypt that has changed after expiry of it's cross signed SSL certs outlined at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog. The new renewed one in it's place is more modern but that means older devices don't have the new modern SSL cert in it's CA trust store. Devices like made 15yrs ago that don't have any updates to CA trust store won't have the new modern SSL cert that renewal replaced from one that expired at Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog. The solution for older devices from Centmin Mod Managing Letsencrypt DST Root CA X3 Certificate Expiration On CentOS 7 - Centmin Mod Blog is to switch to a SSL CA provider which still has a chain SSL certificate crossed signed by someone who has an old enough cert that is still trusted in older devices CA trust store. Digicert, ZeroSSL and Google Trust Services CA provided SSL certificates all have such old enough certs in the SSL chain that older devices still trust.

Then on top of that there's server SSL cipher configuration as outlined at https://community.centminmod.com/th...ossl-letsencrypt-cloudflare.23541/#post-95449. So you can still have issues with old devices even with Digicert, ZeroSSL or Google Trust Services CA even if SSL cert is fine as your web server may have configured SSL ciphers too modern for older devices to support.

This thread probably gone beyond regular Centmin Mod support that is provided as is. All the answers and solutions are laid out in this thread already So really if you need more help, you probably need to pay to hire someone for this.