I’ve been moving my domains to Cloudflare, and after initially having problems getting Cloudflare to work with a non-SSL website, it was time to move a website that has SSL using Let’s Encrypt. Should be OK this time I thought… just let Cloudflare’s edge servers handle the SSL. Nope, it broke again!
Read on to find out why, and how to fix it!
Cloudflare SSL is great
I remain really impressed that Cloudflare give you SSL out of the box, so even if you don’t have a free SSL certificate from the likes of Let’s Encrypt, you can just set SSL up via your control panel. You can also use your own custom certificates if you have some.
I use Let’s Encrypt
Like many website owners, I use Let’s Encrypt for SSL. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Knowing that SSL is enabled by default in Cloudflare, I migrated my domain over and expected that it would continue to “just work”. My understanding was that visitors would hit Cloudflare’s edge server SSL, and then Cloudflare would hit my website’s SSL.
ERR_TOO_MANY_REDIRECTS again
Immediately I started to get the ERR_TOO_MANY_REDIRECTS error, just as when I had tried to set up a non-SSL website on Cloudflare. I had used the default “Flexible” SSL option, which I presumed would be suitable for end-to-end SSL for a website using its own SSL certificate.
Use “Full” encryption mode
Long story short… after a bit of messing around I realised that it is necessary to use “Full” encryption mode or greater if you have your own SSL certificate such as one from Let’s Encrypt:
Full
Enable encryption end-to-end. Use this mode when your origin server supports SSL certification but does not use a valid, publicly trusted certificate.
To be honest I could have probably come for Full (Strict) or Strict (SSL-Only Origin Pull) encryption modes, but without fully understanding the difference I was happy to have got my website working again!
Conclusion
Cloudflare’s “Flexible” SSL option that is enabled by default when you set up a website will not work if you use Let’s Encrypt for your website’s SSL. You must use “Full” encryption mode or greater. Let me know if you use Full (Strict) or Strict (SSL-Only Origin Pull) encryption mode!