7 votes

If I'm using Cloudflare for my domains, do I need to bother with LE?

It is late... and I am pretty much finished with migrating to a new VPS provider. I got rate limited with two domains, but I'm running everything through Cloudflare. Do I need to bother with LetsEncrypt on the VPS itself? When I check the domains, the certs from CF are working nicely.

This is my first time using CF.

Quick edit while I pretend I can sleep.

I’m thinking that CF will cover me for 443 and route all traffic there. I’ve got wildcards set for domains with services that require other ports — which is working. All CF is doing is caching my sites, right?

6 comments

  1. [4]
    blitz
    Link
    You can't really answer this question without looking at your threat model. Why are you setting up SSL in the first place? Is it just to get that positive browser feedback for clients? Then yeah,...

    You can't really answer this question without looking at your threat model. Why are you setting up SSL in the first place?

    Is it just to get that positive browser feedback for clients? Then yeah, you don't need to set up SSL behind Cloudflare, but you're not getting the full benefit of SSL either.

    You'll get a partial benefit, since one of the easiest places to do a man in the middle attack is when you're local to a client, i.e. setting up a rogue access point that modifies or captures traffic that the victim might connect to. Cloudflare Flexible HTTPS alone will protect you from that.

    If you're handling sensitive information, though? I still think it's worth setting up a fully signed and verified key chain all the way to the origin server. Attacks that would target the backend are more sophisticated, but they can and do still happen. One possible attack that can occur is if somehow the DNS records that cloudflare sees are wrong, and cloudflare sends requests to the wrong origin server temporarily. This is called DNS cache poisoning. Though Cloudflare is unlikely to be attacked successfully, it's important to know that Cloudflare itself does not have to be compromised for your server to be compromised; all that's needed is for Cloudflare to see the wrong A record when it looks up the domain name for the origin server, which can happen any number of different ways.

    A properly signed certificate will help protect from that, a self signed certificate will not.

    In my mind it's worth having the assurance that the whole chain is encrypted and signed; especially since setting up a signed certificate is easier than ever with LE these days.

    7 votes
    1. [2]
      Shahriar
      Link Parent
      Wouldn't a CloudFlare Origin CA certificate be suffice for this? Eliminating the need for a certificate from another Certificate Authority, like Let's Encrypt.

      If you're handling sensitive information, though? I still think it's worth setting up a fully signed and verified key chain all the way to the origin server.

      Wouldn't a CloudFlare Origin CA certificate be suffice for this? Eliminating the need for a certificate from another Certificate Authority, like Let's Encrypt.

      2 votes
      1. Adys
        Link Parent
        An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain. It would not be appropriate for actual sensitive information imo. I think CF origin CA...

        An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain. It would not be appropriate for actual sensitive information imo.

        I think CF origin CA certs fill a weird niche to be honest. Most people setting up SSL are served just fine with the SSL flexible setting in cloudflare, and if you are handling anything that needs e2ee, you can't use them.

        1 vote
    2. tomf
      Link Parent
      ok cool. the sites are mostly useless right now. The bulk of them are from old projects / businesses I've since closed, but I have the domains kicking around since I like the domains. Some are for...

      ok cool. the sites are mostly useless right now. The bulk of them are from old projects / businesses I've since closed, but I have the domains kicking around since I like the domains. Some are for other communities, but there isn't any sort of data collection taking place -- so SSL isn't really needed, I just figured I might as well do it up.

      I'll encrypt it all anyways, though. LE is a breeze, like you said -- and its already running :)

      This is one of those things I am about 85% comfortable with, but still a little out of my element. I'm at that level where the move to this new provider has felt easy, which makes me slightly uncomfortable. But everything has gone off without a hitch, so I should be thankful.

      Thanks for this!

      1 vote
  2. [2]
    jcdl
    Link
    You can use Cloudflare’s SSL proxy, which is fine. Just know that the connection between CF and your VPS is unencrypted, so anyone sitting between them has full control of your traffic. You can...

    You can use Cloudflare’s SSL proxy, which is fine. Just know that the connection between CF and your VPS is unencrypted, so anyone sitting between them has full control of your traffic.

    You can also setup a certificate on your server to avoid that issue. Self signed or Let’s Encrypt are both fine since CF doesn’t validate the certificate.

    4 votes
    1. tomf
      Link Parent
      Okay great! I’ll go down the self-signed route. This all makes sense now. It will be nice not to ever think about certs, even though it was automated. Thanks so much!

      Okay great! I’ll go down the self-signed route. This all makes sense now.

      It will be nice not to ever think about certs, even though it was automated.

      Thanks so much!

      2 votes