Using Cloudflare Proxied SSL Certificates without using the GridPane Cloudflare Integration and Generating Self Signed Certificates

Introduction

This article tackles using Cloudflare Proxied SSL Certificates with GridPane when not using the GridPane Cloudflare integration for automatically generating SSL Certificates using Lets Encrypt.

If you’re having issues with SSL the using the Why No Padlock website is super helpful.

Why No Padlock?

Why No Padlock? – Why is my SSL web page insecure? Find the culprit!

whynopadlock.com

Understanding SSL Certificates and Server Configurations

What are Self-Signed SSL Certificates and are they Secure?

Self-signed SSL certificates and those issued by a trusted Certificate Authority (CA) are technically similar in terms of their creation and function. The key difference lies in the trustworthiness of the signing authority. While the technology and encryption levels are the same, a CA uses a root certificate that is pre-installed and trusted by web browsers and devices. Self-signed certificates, on the other hand, are signed with a user-generated key, not recognized by browsers’ list of trusted root certificates. This lack of external validation by a trusted CA is what leads to security warnings in browsers, distinguishing them from CA-issued certificates in terms of trust and acceptance in wider internet communications.

Generating a Self-Signed SSL Certificate with openssl

Generating a self-signed SSL certificate with OpenSSL is a straightforward process that can be accomplished with just a few command line instructions, making it accessible even for those with basic technical knowledge.

OpenSSL, a robust, open-source toolkit for SSL/TLS, is available on a variety of platforms including Linux via a shell, macOS on Terminal, and Windows through tools like Git Bash or Windows Subsystem for Linux. The following is the openssl command to create both the certificate (cert.pem) and the private key (key.pem) with a validity of one year (-days 365). You can also set days to any value, it can even be 10 years, it’s totally up to you.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

No Self-Signed Certificates in GridPane

GridPane, does not create self-signed SSL certificates by default or when no SSL Certificate has been configured using the HTTP request based Lets Encrypt method or the LetsEncrypt Cloudflare DNS Integration to Generate a Lets Encrypt SSL Certificate. Instead GridPane will handle requests over HTTPS/443, but will return an error of 444, which will cause an issue sometimes with Cloudflare proxying.

Cloudflare and Port 80 Utilization

Cloudflare will prefer to use HTTPS/443 to access a proxied website, but can access HTTP/80. However if you only have HTTP/80 open and are on GridPane with no SSL Certificate where HTTPS/443 returns an error 444, this becomes a problem. To circumvent this limitation, you might need to configure Cloudflare to direct traffic through port 80. This requires a bit of tweaking as Cloudflare normally expects traffic to come through HTTPS/443. I’m not 100% sure what is required, typically Cloudflare figures it out. At the time of writing this there is no method I know of to force HTTP/80.

The Solution, Installing Your Own SSL Certificate

So since GridPane doesn’t offer a Self-Signed SSL Certificate, you have to instead install one yourself. Now, this might seem an overboard approach, however if you want to use Cloudflare properly or be able to see visit a WordPress site without a valid SSL Certificate (because it redirects to https://) then this is your only solution.

Installing Custom SSL Certificates in GridPane

You can install your own SSL certificate into any GridPane site, GridPane offers a guide to provision your own custom SSL certificate.

Setting up a Custom SSL | GridPane

In some cases, you may want to run a custom non Let’s Encrypt based SSL. This article will walk you through how to do this on GridPane. Setting up a custom SSL…

gridpane.com

The process goes through taking your own custom SSL Certificate files and installing them on a GridPane site. You can use a self-signed SSL Certificate or another providers such as ZeroSSL or the various SSL Certificate Authorities online.

SSL Certificate Options

Leveraging Cloudflare Origin Certificates

One option is to use Cloudflare’s origin certificates, which can be downloaded via or generated via Command Line Interface (CLI).

Origin CA certificates · Cloudflare SSL/TLS docs

Origin Certificate Authority (CA) certificates allow you to encrypt traffic between Cloudflare and your origin web server, and reduce origin bandwidth …

developers.cloudflare.com

While similar to generating a self-signed certificate, the expiry date of these certificates is not immediately clear.

Generating a Self-Signed Certificate

For those comfortable with command-line tools, generating a self-signed certificate is a viable option as mentioned above. This can be done in environments like Terminal on macOS, GridPane server SSH via root, or Windows Subsystem for Linux (WSL) on Windows 10/11. Once generated, the certificate can be installed using the above GridPane instructions.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

The Case for Self-Signed SSL Certificates on GridPane

There’s a growing push for GridPane to support the installation and renewal of self-signed SSL certificates. This feature is common in many control panels and could significantly improve user convince and time wasted troubleshooting issues.