Let’s Encrypt and Cloudflare both provide free SSL, but they work fundamentally differently. Let’s Encrypt gives you a certificate you own and control. Cloudflare manages SSL as part of their CDN proxy — your visitors connect to Cloudflare, not directly to your server.
Quick comparison
| Let’s Encrypt | Cloudflare SSL | |
|---|---|---|
| What you get | Certificate files to install anywhere | SSL managed by Cloudflare’s proxy |
| Certificate ownership | You own it | Cloudflare owns it |
| Private key location | Your server (or browser with GetHTTPS) | Cloudflare’s edge servers |
| Works without Cloudflare | ✅ | ❌ |
| Visitor connection terminates at | Your server | Cloudflare’s edge |
| Cloudflare can read traffic | No | ⚠️ Yes (by design) |
| Certificate validity | 90 days (you manage) | Auto-managed |
| Wildcard | ✅ (DNS-01) | ✅ |
| Non-web services (email, APIs) | ✅ | ❌ (HTTP/HTTPS proxy only) |
| Origin-to-edge encryption | N/A (direct) | Must configure “Full (Strict)“ |
| Setup complexity | Medium (ACME client needed) | Low (DNS change) |
| Vendor lock-in | None | Leaving = losing SSL |
How they differ
Let’s Encrypt: you own the certificate
Visitor ←──HTTPS──→ Your Server
(your certificate, your private key)Your server terminates the TLS connection. You control the private key, the certificate, and the entire chain. The certificate works anywhere — Nginx, Apache, Node.js, email servers, load balancers, IoT devices.
Cloudflare: proxy model
Visitor ←──HTTPS──→ Cloudflare Edge ←──???──→ Your Server
(Cloudflare's cert) (may be HTTP)Cloudflare sits between visitors and your server. Visitors’ encrypted connections terminate at Cloudflare’s edge. Cloudflare then makes a separate connection to your origin server — which may or may not be encrypted, depending on your settings.
“Full (Strict)” mode — Cloudflare verifies your origin has a valid certificate (recommended) “Full” mode — Cloudflare connects to your origin with HTTPS but doesn’t verify the certificate “Flexible” mode — ⚠️ Cloudflare connects to your origin over plaintext HTTP
In “Flexible” mode, the connection between Cloudflare and your server is unencrypted — anyone on that network path can read the traffic.
When to use Let’s Encrypt
- You want end-to-end encryption that you control
- Non-web services — email servers (SMTP/IMAP), APIs not behind a CDN, database connections
- Privacy-sensitive — you don’t want a third party seeing your traffic in plaintext
- Multi-CDN or no CDN — certificate works regardless of CDN provider
- No vendor lock-in — switch hosting, CDN, or architecture without losing SSL
When to use Cloudflare
- You already use Cloudflare for CDN, DDoS protection, or DNS
- You want zero certificate management — Cloudflare handles everything
- You’re on shared hosting that can’t install certificates
- DDoS protection is the priority — Cloudflare’s proxy absorbs attacks
The best of both worlds
Many production setups use both:
- Cloudflare as CDN/proxy (visitors connect to Cloudflare)
- Let’s Encrypt on the origin server (Cloudflare connects to your server with a real certificate)
- Set Cloudflare to “Full (Strict)” mode
This gives you Cloudflare’s CDN benefits plus verified end-to-end encryption. Use GetHTTPS to get the origin certificate.
Migration scenarios
Moving from Cloudflare to direct HTTPS
If you want to stop using Cloudflare’s proxy:
- Get a Let’s Encrypt certificate for your domain
- Install it on your server (Nginx, Apache)
- In Cloudflare DNS, change your A/AAAA records from “Proxied” (orange cloud) to “DNS only” (gray cloud)
- Traffic now goes directly to your server with your own certificate
Moving from direct HTTPS to Cloudflare
If you’re adding Cloudflare to an existing HTTPS site:
- Add your domain to Cloudflare
- Update your nameservers
- Cloudflare automatically provisions Universal SSL
- Set SSL mode to “Full (Strict)” (you already have a valid origin cert)
Keep your existing Let’s Encrypt certificate — it serves as the origin certificate for Full (Strict) mode.
Frequently asked questions
Does Cloudflare provide a “real” SSL certificate?
Cloudflare issues a real, browser-trusted certificate for your domain — but it lives on Cloudflare’s infrastructure, not yours. You can’t download it or use it elsewhere. If you stop using Cloudflare, the certificate goes away. For a portable certificate you own, use Let’s Encrypt.
Is Cloudflare SSL free?
Yes, on the free plan. Cloudflare calls it “Universal SSL” and it covers your domain and subdomains automatically. However, you’re not paying for the certificate — you’re accepting the proxy model and Cloudflare seeing all traffic.
Can I use both at the same time?
Yes — and you should if you use Cloudflare. Install a Let’s Encrypt certificate on your origin server and set Cloudflare to “Full (Strict)” mode. This ensures the origin-to-edge connection is also encrypted and verified. Full setup guide →
Does Cloudflare read my traffic?
By design, yes. Cloudflare terminates TLS at their edge — traffic is decrypted there for caching, WAF inspection, and DDoS filtering, then re-encrypted to your origin. This is how any reverse proxy works. If this is unacceptable for your use case (legal, compliance, privacy requirements), use direct HTTPS with Let’s Encrypt.
What about Cloudflare’s “Origin Certificates”?
Cloudflare offers Origin CA certificates — free certificates trusted only by Cloudflare (not by browsers directly). They’re valid for up to 15 years and eliminate renewal hassle for the origin connection. But they only work while you stay on Cloudflare.