I need SSL at CloudWays AND CloudFlare?


(Mike C) #1

If I’m using CloudFlare, then for SSL, do I need to have SSL enabled at both CloudFlare and CloudWays?


(Mustaasam Saleem) #2

Hi @MikeC

You need to set SSL flexible first from CloudFlare and then install SSL from Cloudways.


(Mike C) #3

Mine is set to full strict, so I should change it to flexible?

The part I don’t understand is why I need SSL at both CloudFlare and at Cloudways. Can you explain?


(Freddie) #4

Basically, CloudFlare creates a complete copy of your website and stores it to their servers. You can setup rules in CloudFlare to not cache certain pages such as the Cart, Checkout, Etc.

In short, it’s basically two servers and each one uses there own SSL Certificates.
CW - Let’s Encrypt
CF - Universal SSL

Honestly, it’s hard to find detailed documentation on this subject. I’m not an expert, so try this at YOUR OWN RISK.

BACKUP YOUR SERVER AND WORDPRESS BEFORE YOU DO ANYTHING OR USE A NEW SERVER

This is mainly for SSL on CloudFlare. Getting the right CloudFlare configuration requires testing and tweaking each setting manually.

Here’s a link to a useful CW and CF CDN integration. https://community.cloudflare.com/t/how-do-i-migrate-a-cloudflare-enabled-site-to-cloudways/8562/3

  • If you are using Woocommerce you need to manually check if the Cart, Checkout, and User Account pages are working correctly.

1. In the CloudFlare DNS section add two A Records, one for WWW and the other for yourdomain.com. Point them both to your CW Server IP Address and select a TTL of 10 Minutes.

2. It is not possible to create Let’s Encrypt certificates in Cloudways while the CloudFlare CDN is active, so turn it off by clicking the Orange Cloud. When you see a Grey Cloud it means CloudFlare CDN is off.

3. Go to your Cloudways Server WordPress and add your Primary Domain in Domain Management Section. You must use www.yourdomain. com

4. In your Cloudways Server WordPress install Let’s Encrypt certificates for your domain. Both non-www and www.

5. Login to your Database Manager in Cloudways Server WordPress and search/replace all http entries to https for all images/posts/links. If you see a link without http:// OR https:// LEAVE IT ALONE.

6. Go back to your server and under Settings & Packages / Advanced Tab find WAF Module and change it to CloudFlare.


7. Go to CloudFlare DNS section click on the Grey Cloud to turn on the CDN for both WWW and yourdomain A Records. (Orange Cloud = CDN is on)

8. Go to CloudFlare Crypto Section and turn SSL to Flexible. Wait up to 24 hours for a CloudFlare SSL Certificate. If you have used CloudFlare with the same domain you already have one. (No wait time, the status will say “Active Certificate”)

9. After the CloudFlare SSL is active you can change it to Full Strict.

10. Make sure your pages are working correctly.

AGAIN, I’m not an expert, so try this at YOUR OWN RISK. This is what I have done to make my WordPress website work with Cloudways and CloudFlare CDN.


(Mustaasam Saleem) #5

@Freddie really appreciates the efforts you put in.

Thanks for the detailed guide


(Simon) #6

I’m looking to achieve the same thing. I previously activated both Cloudflare SSL AND Cloudways LetsEncrypt, except now after 3 months the LetsEncrypt renewal has failed.

Changing SSL to ‘Flexible’ is really NOT an ideal solution as this completely disables all encryption between Cloudflare and Cloudways. Please be careful about what you’re recommending in these posts.

I’ve had other hosts that allow activation of LetsEncrypt even while Cloudflare is active, so it must be possible, somehow.


(Mike C) #7

I became so frustrated with Cloudflare that I disabled its CDN features entirely and just using it for DNS. Changed to Cloudways CND and everything is working nicely.


(Freddie) #8

Hi Simon, my LetsEncrypt will renew in about 1 month and I’ll let you know what happens. As of right now, using the setup from above to connect CF CDN and DNS is working very well on a Cloudways multisite. I see that you are concerned with the “Flexible” status of the SSL on CF, but you have to remember that it’s only on “Flexible” when setting up the website on CF for the first time.


(Mike C) #9

Freddie, you’re saying that Cloudflare CDN is working better than Cloudways CDN?


(Freddie) #10

Hey Mike, I can’t say Cloudways CDN is better because I haven’t tried it yet. Although, when comparing the services, Cloudflare CDN has more to offer and a larger content delivery network. Loading time can also be improved when using CF DNS, which is a service Cloudways offers through a partner and separate from their CDN service.


(Mike C) #11

Then I must have had something set up wrong because I was always having a lot of problems when using CF cdn. I do use CF for DNS. Do you have any special settings going on?


(Freddie) #12

Nope, there are no special settings and It’s hard to tell what is causing the problem with CW and CF CDN.

I followed the guide from above when I first installed WordPress on a Linode server using CW. (WordPress with Woocommerce)

My final CF settings are listed below for the free tier:

  • I’m using A Records in the DNS and the CDN is turned on (Orange Cloud) with the exception of the subdomain running Woocommerce “shop.example.com
  • SSL - Full Strict
  • Always use HTTPS - OFF
  • HTTP Strict Transport Security (HSTS) - Disabled
  • Authenticated Origin Pulls - ON
  • Require Modern TLS - ON
  • Opportunistic Encryption - ON
  • TLS 1.3 - Enabled + 0RTT
  • Automatic HTTPS Rewrites - OFF
  • Security Level - HIGH
  • Browser Integrity Check - ON
  • Auto Minify - HTML, CSS, JS
  • Enable Accelerated Mobile Links - OFF
  • Rocket Loader - OFF
  • Mobile Redirect - OFF
  • Caching Level - Standard
  • Browser Cache Expiration - Respect Existing Header (Will change it later)
  • Always Online - OFF
  • Development Mode - OFF
  • WebSockets - ON (Will turn it off later - I don’t need it)
  • Pseudo IPv4 - OFF
  • IP Geolocation
  • Maximum Upload Size - 100MB

(Grahamcampbell) #13

Cloudflare has occasional issues with WordPress and ssl certificates supplied by Cloudflare. The solution is to install the ctw-ssl-for-cloudflare plugin.
Often includes pictures and video have legacy http url’s. On a small site these can be fixed manually, on a large site I use the ssl-insecure-content-fixer plugin on the top or second from top setting (The lower 2 seem to make little difference)
I also used Full (strict) on some sites and add the force-https-littlebizzy to ensure that only the https version is served.
LetsEncrypt solutions have always been a disaster as they expire every 3 months. A script we wrote to auto-update worked for 9 months then died. The WordPress plugins using LE also worked for a while then died.
So I use Cloudflare’ssolution without any issue on 50+ sites. There IS a massive delay when getting some sites onto Cloudflare from some Registrars. A recent .tv domain took 2 days to approve the ssl certificate owing to ‘Additional checks’ required by Cloudflare.


(Paul Cohen) #14

I thought the lets encrypt certs would auto renew? What’s the point of the settings if they don’t do that?