In cloudflares cryptography settings I have set SSL to Full (Strict) and the Universal SSL Status is on Active Certificate as you can see:
But the thing is I am using also a certificate on my server by letsencrypt/certbot, which also works If I deactivate cloudflare, so I wonder if there is now some kind of double encryption?
nginx(ssl) --> cloudflare(ssl) --> enduser
There is no double encryption in the form of two encryptions inside each other. Instead there is one encryption between browser and Cloudflare and another one between Cloudflare and nginx. Both Cloudflare and nginx have access to the plain (unencrypted) data. The browser will only see and validate the certificate from Cloudflare while Cloudflare will see and validate the certificate from LetsEncrypt (served from nginx).
Related
I'm using Lets Encrypt Certbot to generate ssl certificate btw if you notice my url already have https, I only generated it manually and that's not secured. Just want to know if my url is acceptable to have a ssl certificate.
You can get an SSL certificate for any website. You just have to verify ownership of your domain and once the certificate has been issued to you upload it to your website host.
I am using the free version of Cloudflare and I created a wildcard SSL certificate for 1 level subdomain using 'Origin Certificates', upload this on Azure web app and configured the wild card subdomain on Cloudflare without the traffic goes through Cloudflare. It gives me the below error.
Error:
http://prntscr.com/ormgne
NET::ERR_CERT_AUTHORITY_INVALID
Subject: CloudFlare Origin Certificate
Issuer: CloudFlare, Inc.
Cloudflare Settings:
http://prntscr.com/ormgye
Azure webApp settings:
http://prntscr.com/ormhop
My application is a multitenant and creating a subdomain dynamically.
Screenshots provided above.
Expected Result: The SSL should be enabled on wildcard subdomain.
It should be like that. Because the origin Certificates you created from Cloudflare are only valid for encryption between Cloudflare and your origin server.
It is only used to protect the traffic between your server and Cloudflare.
However, Cloudflare is not a trusted CA issuer, if you access your website directly (without Cloudflare), your browser will not trust the Certificate. You can consider the Certificate as a self-signed Certificate.
To solve this:
You can purchase a SSL Certificate from trust issuer. For example: DigiCert, GoDaddy or Let's Encrypt (free)
Or, you can turn on the protection to make the traffic go through Cloudflare.
To begin let's say I have this configuration :
mywebsite.com is related on machine 0.0.0.1 (with ssl certificate)
cloud.mywebsite.com is related on machine 0.0.0.2 (without ssl certificate)
can I ask for a new SSL certificate for "cloud.mywebsite.com" or this will create issues because of domain/subdomain ?
Thanks for the response.
Instead of asking for a new SSL Certificate, you only need to get Wildcard SSL Certificate that will secure your main domain as well as its all sub-domains. For example:
If you get Wildcard SSL certificate for *mywebsite.com then it will secure,
https://cloud.mywebite.com
https://mail.mywebsite.com
https://photos.mywebsite.com
https://anything.mywebsite.com
So, you will not have to manage multiple SSL certificates for your main domain and its sub-domain. Wildcard SSL certificate will reduce the hassle of server administrators for multiple SSL management. I suggest you to read this article, which will give you clear understanding of Wildcard SSL Certificate.
So i want to setup a payment server with hibiscus (https://www.willuhn.de/products/hibiscus-server/)
and make the connection encrypted with a trusted certificate.
Hibiscus is basically a java servlet which creates a own self
signed ssl certificate, which acording to the author can not be
replaced with another ssl certificate because the private key is
used to encrypt other things.
So my idea is: Setup nginx with a proxy from port 443 to hibiscuses port
8080, tell nginx to trust the certificate of hibiscus and encrypt
nginx's 443 with a letsencrypt cert.
nginx would need to unpack the secure content form hibiscus and then
repack it as its own content right?
Does anyone now if this is possible and how?
All help is much appreciated
It's not secure. Self signed certificate is not trusted by all of the browsers since the certificate is not signed by any trusted CA, which means, user may suffer from a man-in-the-middle attack. Consider what will happen if I also make a payment server and publish my self signed certificate? User agent can not distinguish which one is real at all.
I am trying to activate HTTPS for my domain name. Chrome recognizes the SSL certificate when i go to https://www.example.com, but I get the error and it says that my SSL is not trusted. What do I need to do to get my SSL certificate to be trusted?
Instead of using a self-signed certificate, get one from a certificate provider. I'd recommend you looking at LetsEncrypt because they have a good automated support for being able to renew certificates automatically.