7 votes

If I'm using Cloudflare for my domains, do I need to bother with LE?

It is late... and I am pretty much finished with migrating to a new VPS provider. I got rate limited with two domains, but I'm running everything through Cloudflare. Do I need to bother with LetsEncrypt on the VPS itself? When I check the domains, the certs from CF are working nicely.

This is my first time using CF.

Quick edit while I pretend I can sleep.

I’m thinking that CF will cover me for 443 and route all traffic there. I’ve got wildcards set for domains with services that require other ports — which is working. All CF is doing is caching my sites, right?

13 comments

  1. [11]
    blitz
    Link
    You can't really answer this question without looking at your threat model. Why are you setting up SSL in the first place? Is it just to get that positive browser feedback for clients? Then yeah,...

    You can't really answer this question without looking at your threat model. Why are you setting up SSL in the first place?

    Is it just to get that positive browser feedback for clients? Then yeah, you don't need to set up SSL behind Cloudflare, but you're not getting the full benefit of SSL either.

    You'll get a partial benefit, since one of the easiest places to do a man in the middle attack is when you're local to a client, i.e. setting up a rogue access point that modifies or captures traffic that the victim might connect to. Cloudflare Flexible HTTPS alone will protect you from that.

    If you're handling sensitive information, though? I still think it's worth setting up a fully signed and verified key chain all the way to the origin server. Attacks that would target the backend are more sophisticated, but they can and do still happen. One possible attack that can occur is if somehow the DNS records that cloudflare sees are wrong, and cloudflare sends requests to the wrong origin server temporarily. This is called DNS cache poisoning. Though Cloudflare is unlikely to be attacked successfully, it's important to know that Cloudflare itself does not have to be compromised for your server to be compromised; all that's needed is for Cloudflare to see the wrong A record when it looks up the domain name for the origin server, which can happen any number of different ways.

    A properly signed certificate will help protect from that, a self signed certificate will not.

    In my mind it's worth having the assurance that the whole chain is encrypted and signed; especially since setting up a signed certificate is easier than ever with LE these days.

    7 votes
    1. [9]
      Shahriar
      Link Parent
      Wouldn't a CloudFlare Origin CA certificate be suffice for this? Eliminating the need for a certificate from another Certificate Authority, like Let's Encrypt.

      If you're handling sensitive information, though? I still think it's worth setting up a fully signed and verified key chain all the way to the origin server.

      Wouldn't a CloudFlare Origin CA certificate be suffice for this? Eliminating the need for a certificate from another Certificate Authority, like Let's Encrypt.

      2 votes
      1. [8]
        Adys
        Link Parent
        An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain. It would not be appropriate for actual sensitive information imo. I think CF origin CA...

        An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain. It would not be appropriate for actual sensitive information imo.

        I think CF origin CA certs fill a weird niche to be honest. Most people setting up SSL are served just fine with the SSL flexible setting in cloudflare, and if you are handling anything that needs e2ee, you can't use them.

        2 votes
        1. [7]
          Shahriar
          Link Parent
          I'm having issues understanding this. What differs CloudFlare's certificate from Let's Encrypt certificate? Assuming you are using the full or strict setting. You could use Let's Encrypt instead...

          An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain.

          I'm having issues understanding this.

          What differs CloudFlare's certificate from Let's Encrypt certificate? Assuming you are using the full or strict setting.
          You could use Let's Encrypt instead of CloudFlare as the "origin" web server certificate.

          It is to my knowledge that the chain of trust would be broken if a trusted certificate authority is not used, or CloudFlare's certificate; which the latter is not valid directly connected by a browser to the web server and not via CloudFlare CDN. What repercussions could one face if they were to use CloudFlare's certificate?

          1 vote
          1. [6]
            Adys
            Link Parent
            I think you answered your own question?

            I think you answered your own question?

            1 vote
            1. [5]
              Shahriar
              Link Parent
              Where does having CloudFlare origin certificate here break the chain of trust and the end-to-end encryption?

              An origin cert does not provide end-to-end encryption, because the issuer is in the middle of the chain. It would not be appropriate for actual sensitive information imo.

              Where does having CloudFlare origin certificate here break the chain of trust and the end-to-end encryption?

              1 vote
              1. [4]
                Adys
                Link Parent
                With an origin cert, Cloudflare decrypts and re-encrypts using a different cert to serve to the end user, so it's not e2ee.

                With an origin cert, Cloudflare decrypts and re-encrypts using a different cert to serve to the end user, so it's not e2ee.

                1 vote
                1. [3]
                  Shahriar
                  Link Parent
                  Is there any article one could read that describes this process? It's to my knowledge that the origin certificate pretty much behaves as a Let's Encrypt certificate here and does not change. Would...

                  Cloudflare decrypts and re-encrypts using a different cert to serve to the end user

                  Is there any article one could read that describes this process?

                  It's to my knowledge that the origin certificate pretty much behaves as a Let's Encrypt certificate here and does not change.

                  Would assigning an origin certificate by Let's Encrypt, for example, ensure it would be end-to-end encrypted?

                  Sorry for all the questions, I'm just having difficulty understanding why CloudFlare's origin certificate behaves so differently.

                  1 vote
                  1. [2]
                    Adys
                    Link Parent
                    Here's a help article: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates The key thing to understand is that an origin certificate is issued...

                    Here's a help article: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

                    Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server.

                    To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL/TLS encryption mode in the Cloudflare SSL/TLS app without first purchasing a certificate from a Certificate Authority to install at your origin web server.

                    The key thing to understand is that an origin certificate is issued and signed by Cloudflare, and is trusted by Cloudflare. If you were to use such a certificate at the edge, your web browser would cry foul and say "Who the fuck is Cloudflare?". They are not a trusted CA.

                    Another key thing to understand is that origin certs are older than Lets Encrypt; they come from a time where, if you wanted to have full end to end encryption with cloudflare at the edge, you'd have to purchase a cert and install it on your server. They're a better user experience than this.

                    Anyway, lots of CF functionality relies on CF itself being able to read your content and replace it, such as auto-minify, various compression overrides, etc. Now that I'm saying this out loud I realize I might have misled you saying that E2EE was even possible with CF; I don't know if there's a case outside of enterprise where they let you use your own cert end to end on proxied endpoints.

                    1 vote
                    1. Shahriar
                      Link Parent
                      Would this differ from other CDN or "Edge" networks like Netlify? Netlify allows custom certificates, but even their own managed certificates are issued with Let's Encrypt, where it would not be...

                      The key thing to understand is that an origin certificate is issued and signed by Cloudflare, and is trusted by Cloudflare. If you were to use such a certificate at the edge, your web browser would cry foul and say "Who the fuck is Cloudflare?". They are not a trusted CA.

                      Would this differ from other CDN or "Edge" networks like Netlify?

                      Netlify allows custom certificates, but even their own managed certificates are issued with Let's Encrypt, where it would not be part of the trust chain process.

                      Thank you for taking the time to explain; I understood your explanation for CloudFlare as:
                      Browser -> CloudFlare's TLS -> CloudFlare Edge -> Origin Server TLS -> Origin Server.

                      As CloudFlare uses its own certificates to process between the browser and my origin server, it's not truly E2EE as they issued the certificate and would have their respective private keys. Although they seem to support certificates on the Origin Server issued by a Certificate Authority like Let's Encrypt. The chain in its entirety is not independent from CloudFlare.

                      Netlify can manage this automatically with Let's Encrypt, but they are not using a "hack" of their own Certificate Authority like CloudFlare is using here.

                      Here is the documentation I was trying to understand with Netlify.

    2. tomf
      Link Parent
      ok cool. the sites are mostly useless right now. The bulk of them are from old projects / businesses I've since closed, but I have the domains kicking around since I like the domains. Some are for...

      ok cool. the sites are mostly useless right now. The bulk of them are from old projects / businesses I've since closed, but I have the domains kicking around since I like the domains. Some are for other communities, but there isn't any sort of data collection taking place -- so SSL isn't really needed, I just figured I might as well do it up.

      I'll encrypt it all anyways, though. LE is a breeze, like you said -- and its already running :)

      This is one of those things I am about 85% comfortable with, but still a little out of my element. I'm at that level where the move to this new provider has felt easy, which makes me slightly uncomfortable. But everything has gone off without a hitch, so I should be thankful.

      Thanks for this!

      1 vote
  2. [2]
    jcdl
    Link
    You can use Cloudflare’s SSL proxy, which is fine. Just know that the connection between CF and your VPS is unencrypted, so anyone sitting between them has full control of your traffic. You can...

    You can use Cloudflare’s SSL proxy, which is fine. Just know that the connection between CF and your VPS is unencrypted, so anyone sitting between them has full control of your traffic.

    You can also setup a certificate on your server to avoid that issue. Self signed or Let’s Encrypt are both fine since CF doesn’t validate the certificate.

    4 votes
    1. tomf
      Link Parent
      Okay great! I’ll go down the self-signed route. This all makes sense now. It will be nice not to ever think about certs, even though it was automated. Thanks so much!

      Okay great! I’ll go down the self-signed route. This all makes sense now.

      It will be nice not to ever think about certs, even though it was automated.

      Thanks so much!

      2 votes