When you use Cloudflare as a CDN/proxy, your visitors connect to Cloudflare’s edge servers. But what about the connection between Cloudflare and your origin server? Without a certificate on your origin, that connection may be unencrypted — defeating the purpose of HTTPS.
Cloudflare SSL modes explained
| Mode | Visitor → Cloudflare | Cloudflare → Origin | Security |
|---|---|---|---|
| Off | HTTP | HTTP | ❌ No encryption |
| Flexible | HTTPS ✅ | HTTP ❌ | ⚠️ False sense of security |
| Full | HTTPS ✅ | HTTPS (unverified) | ⚠️ Encrypted but no cert validation |
| Full (Strict) | HTTPS ✅ | HTTPS (verified) ✅ | ✅ Recommended |
“Flexible” is dangerous. Your visitors see a padlock, but the Cloudflare→origin connection is plain HTTP. Anyone on that network path can read the traffic. Always use Full (Strict).
Setting up Full (Strict) with a Let’s Encrypt certificate
The best approach: install a real, publicly-trusted certificate on your origin and enable Full (Strict).
Step 1: Get a Let’s Encrypt certificate
Use GetHTTPS to get a free certificate for your domain. You need to temporarily disable Cloudflare proxy (gray cloud in DNS settings) for the HTTP-01 challenge to reach your origin, or use DNS-01 which works regardless.
DNS-01 method (no proxy change needed):
- In GetHTTPS, choose DNS-01 challenge
- Add the
_acme-challengeTXT record in Cloudflare DNS - Verify and download the certificate
HTTP-01 method:
- In Cloudflare DNS, click the orange cloud → gray cloud (DNS only) for your domain
- Complete the HTTP-01 challenge in GetHTTPS
- After getting the certificate, re-enable the orange cloud (proxied)
Step 2: Install on your origin server
Install the certificate on Nginx or Apache as normal.
Step 3: Enable Full (Strict) in Cloudflare
- Go to Cloudflare dashboard → your domain
- SSL/TLS → Overview
- Select Full (Strict)
Cloudflare will now verify that your origin has a valid, trusted certificate before connecting.
Alternative: Cloudflare Origin CA certificate
Cloudflare offers its own Origin CA certificates — free certificates that are trusted only by Cloudflare, not by browsers directly.
How to get one
- Cloudflare dashboard → SSL/TLS → Origin Server
- Click Create Certificate
- Choose key type (RSA or ECDSA) and validity (up to 15 years)
- Download the certificate and private key
- Install on your origin server
Pros and cons vs Let’s Encrypt
| Cloudflare Origin CA | Let’s Encrypt (via GetHTTPS) | |
|---|---|---|
| Trusted by | Cloudflare only | All browsers (publicly trusted) |
| Validity | Up to 15 years | 90 days |
| Auto-renewal needed | No (long validity) | Yes (every 60-90 days) |
| Works without Cloudflare | ❌ | ✅ |
| Direct browser access | ❌ (shows error) | ✅ |
| Cost | Free | Free |
Use Cloudflare Origin CA if your origin is always behind Cloudflare and you want zero renewal management.
Use Let’s Encrypt if you might bypass Cloudflare (maintenance, migration), need direct access to your origin, or want a certificate that works everywhere.
Verifying Full (Strict) is working
After setup, test that the connection is fully encrypted:
- Cloudflare dashboard → SSL/TLS → Overview should show “Full (Strict)”
- Visit your site → padlock should show Cloudflare’s certificate to visitors
- Check origin directly (bypassing Cloudflare):
This should return a valid HTTPS response with your Let’s Encrypt (or Origin CA) certificate.curl -I --resolve yourdomain.com:443:YOUR_ORIGIN_IP https://yourdomain.com
Frequently asked questions
Why not just use Flexible mode?
Flexible mode encrypts the visitor→Cloudflare connection but sends traffic from Cloudflare to your origin in plain HTTP. This means:
- Your ISP, hosting provider, or anyone on the network between Cloudflare’s edge and your server can read all traffic
- Your visitors see a padlock and think they’re secure, but the backend connection is not
- This is especially dangerous for login pages, payment forms, or any sensitive data
Does my origin certificate need to match my domain exactly?
For Full (Strict) mode, yes — the origin certificate must be valid for the domain Cloudflare is connecting to. A Let’s Encrypt certificate for example.com will work. A self-signed certificate or a certificate for a different domain will not.
Can I use a wildcard origin certificate?
Yes. A wildcard certificate for *.example.com on your origin works with Full (Strict) for any subdomain proxied through Cloudflare.
What happens if my origin certificate expires?
Cloudflare’s Full (Strict) mode checks certificate validity. If your origin cert expires, Cloudflare can’t establish a secure connection and your site shows a 526 error (Invalid SSL Certificate). Set up expiry monitoring to prevent this.