let's encrypt vs cloudflare or both? [closed]

When you use Cloudflare then there are two parts to encrypt:

1. From the user's browser to Cloudflare
2. From Cloudflare to your server

This means that you need two certificates for full encryption.

Cloudflare automatically provides you with the first one. This is the one that a user sees if they check the URL padlock.

There are various ways to deal with the Cloudflare > Server encryption. All of these are free.

1. Select Cloudflare's "flexible" SSL/TLS encryption mode. This does NOT encrypt the request from Cloudflare to your server, but the browser will show the green padlock and say the site is secure. Kind of obnoxious, if you aks me.

2. Use Lets Encrypt to install a cert on your server https://certbot.eff.org/lets-encrypt/ubuntufocal-apache. You can now set Cloudflare's SSL/TLS encryption mode to "Full(strict)". I decided NOT to go with this solution because the basic solution doesn't work with load balancers.

3. Install Cloudflare's Origin Certificate on your server. You can set its expiry to 15 years, which is nice (at least until 2035 when your have forgotten about this and your site breaks). Here are the Ubunto directions: Set up Ubuntu Apache2 SSL using .pem and .key from Cloudflare

4. You can also create and install your own origin certificate, which is apparently quite easy, but I haven't tried.

A chain is only as strong as its weakest link.

If you secure one channel but not the other you reduce the attack surface but the setup is still vulnerable. Your website traffic is still flowing in plain text, be it between a browser and Cloudflare servers or Cloudflare servers and your origin server.

It's just a matter of time, effort and luck before someone intentionally or accidentally steals, hijacks, impersonates, sniffs, eavedrops or man-in-the-middles.

Besides, you have all the tools to do a fully secure setup and they're all free.

• Cloudflare-issued or LetsEncrypt certificate to secure communication to your website/API.
• Cloudflare-issued or LetsEncrypt certificate to secure communication to your origin server.

This is a good overview of HTTP vs HTTPS and it lists some of the attacks HTTP is vulnerable to.

Uses HTTPS in both improve your agnostic score, making possible switch between CDN providers that does not have this feature without worry. It's a question about your own decision, if make sense use only Cloudflare to make your infrastructure over https, just in case it's a personal project, or without extreme security compliance. About security, uses https in both both layers is compliant with international security standards, avoid using only in one layer if you have security needs and the channel between HTTPS server and HTTP server is not protected.

Cloudflare actually has a Let's Encrypt CA. I have another domain hosted on cloudflare using Cloudflare's Let's encrypt wildcard SSL. Plus it autorenews. To secure your origin server, you can just use Cloudflare's Origin SSL or use a self-signed SSL since nobody can see it, it provides the same security, and it is valid for 15 Years plus.

What you can do is go to SSL/TLS < Edge Certificates < Scroll all the way down until you reach the bottom < Click on Disable Universal SSL.

Voila, You get to use Cloudflare's fast CDN and DNS management and you get to integrate Let's Encrypt with it ALL FOR FREE.