Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
Introduction
This article tackles using Cloudflare Proxied SSL Certificates with GridPane when not using the GridPane Cloudflare integration for automatically generating SSL Certificates using Lets Encrypt.
If you’re having issues with SSL the using the Why No Padlock website is super helpful.
Understanding SSL Certificates and Server Configurations
What are Self-Signed SSL Certificates and are they Secure?
Self-signed SSL certificates and those issued by a trusted Certificate Authority (CA) are technically similar in terms of their creation and function. The key difference lies in the trustworthiness of the signing authority. While the technology and encryption levels are the same, a CA uses a root certificate that is pre-installed and trusted by web browsers and devices. Self-signed certificates, on the other hand, are signed with a user-generated key, not recognized by browsers’ list of trusted root certificates. This lack of external validation by a trusted CA is what leads to security warnings in browsers, distinguishing them from CA-issued certificates in terms of trust and acceptance in wider internet communications.
Generating a Self-Signed SSL Certificate with openssl
Generating a self-signed SSL certificate with OpenSSL is a straightforward process that can be accomplished with just a few command line instructions, making it accessible even for those with basic technical knowledge.
OpenSSL, a robust, open-source toolkit for SSL/TLS, is available on a variety of platforms including Linux via a shell, macOS on Terminal, and Windows through tools like Git Bash or Windows Subsystem for Linux. The following is the openssl command to create both the certificate (cert.pem
) and the private key (key.pem
) with a validity of one year (-days 365
). You can also set days to any value, it can even be 10 years, it’s totally up to you.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
No Self-Signed Certificates in GridPane
GridPane, does not create self-signed SSL certificates by default or when no SSL Certificate has been configured using the HTTP request based Lets Encrypt method or the LetsEncrypt Cloudflare DNS Integration to Generate a Lets Encrypt SSL Certificate. Instead GridPane will handle requests over HTTPS/443, but will return an error of 444, which will cause an issue sometimes with Cloudflare proxying.
Cloudflare and Port 80 Utilization
Cloudflare will prefer to use HTTPS/443 to access a proxied website, but can access HTTP/80. However if you only have HTTP/80 open and are on GridPane with no SSL Certificate where HTTPS/443 returns an error 444, this becomes a problem. To circumvent this limitation, you might need to configure Cloudflare to direct traffic through port 80. This requires a bit of tweaking as Cloudflare normally expects traffic to come through HTTPS/443. I’m not 100% sure what is required, typically Cloudflare figures it out. At the time of writing this there is no method I know of to force HTTP/80.
The Solution, Installing Your Own SSL Certificate
So since GridPane doesn’t offer a Self-Signed SSL Certificate, you have to instead install one yourself. Now, this might seem an overboard approach, however if you want to use Cloudflare properly or be able to see visit a WordPress site without a valid SSL Certificate (because it redirects to https://) then this is your only solution.
Installing Custom SSL Certificates in GridPane
You can install your own SSL certificate into any GridPane site, GridPane offers a guide to provision your own custom SSL certificate.
The process goes through taking your own custom SSL Certificate files and installing them on a GridPane site. You can use a self-signed SSL Certificate or another providers such as ZeroSSL or the various SSL Certificate Authorities online.
SSL Certificate Options
Leveraging Cloudflare Origin Certificates
One option is to use Cloudflare’s origin certificates, which can be downloaded via or generated via Command Line Interface (CLI).
While similar to generating a self-signed certificate, the expiry date of these certificates is not immediately clear.
Generating a Self-Signed Certificate
For those comfortable with command-line tools, generating a self-signed certificate is a viable option as mentioned above. This can be done in environments like Terminal on macOS, GridPane server SSH via root, or Windows Subsystem for Linux (WSL) on Windows 10/11. Once generated, the certificate can be installed using the above GridPane instructions.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
The Case for Self-Signed SSL Certificates on GridPane
There’s a growing push for GridPane to support the installation and renewal of self-signed SSL certificates. This feature is common in many control panels and could significantly improve user convince and time wasted troubleshooting issues.