Ever since Google stated that SSL would be a ranking factor for websites, every web host has started offering free SSL. However, NameHero was offering free SSL certificates even earlier – well before other hosting providers jumped on the bandwagon. But Let’s Encrypt, and AutoSSL certificates are unstable for the following reasons.
1. AutoSSL and Let’s Encrypt Expire Every 90 Days
Your web host’s Let’s Encrypt certificates expire every 3-months. Even though the certificates renew automatically, there’s always a chance that something goes wrong with the process. I used Let’s Encrypt for 4 years before I faced problems. So for sheer peace of mind, it’s better to have an SSL certificate that doesn’t renew so often.
2. Your Nameservers Need to Resolve to your Web Host
A major problem with Let’s Encrypt and AutoSSL is that your domain nameservers should resolve to your web host. This isn’t a problem if you’ve used the default setup and your web host’s nameservers. Unfortunately, a lot of people are using another nameserver. Cloudflare is probably the most popular 3rd party nameserver because of how fast it is and how easy it is to manage the records.
For a long time, this wasn’t a problem. I don’t know what changed, but one day all my Let’s Encrypt certificates started failing. Upon contacting my (then) web host, the customer rep told me that my nameservers were pointing to Cloudflare and that I had to change the nameservers to my web host instead.
So I changed them, and the Let’s Encrypt validation went through. However, I couldn’t do this every 90 days. There’s a good chance I would forget, and I didn’t want to give up using the Cloudflare DNS system along with all the benefits.
Solution: Use a Cloudflare Origin SSL that Lasts for 15-Years!
The solution I found for my site WP-Tweaks.com, was to use a free Cloudflare origin certificate that lasts for 15 years. This certificate works only if you proxy your traffic through Cloudflare and use their DNS servers. It WON’T work if you don’t use a Cloudflare DNS.
The idea is simple. If you use Cloudflare DNS servers, then Cloudflare proxies all the traffic between you and your visitor. So every request that resolves through your website name comes from Cloudflare. By generating a Cloudflare Origin Certificate and installing it on your server, Cloudflare can ensure that traffic between your origin and Cloudflare is strictly encrypted.
Generating a Cloudflare Origin Certificate
To generate a Cloudflare Origin certificate, log into Cloudflare and click “SSL/TLS” and then click “Origin Server” as shown here:
Follow the process to create an SSL certificate by generating a certificate and choosing a validity of 15 years (the maximum allowed). Save the certificate and the private key and use it to install the certificate on your server. The process varies depending on the web hosting control panel. If you’re using a VPS on InterWorx, as I do, then you can install the SSL certificate on SiteWorx. Here’s the certificate installed on my VPS server:
Once this is done, you can then turn on Full (strict) encryption in the SSL settings on Cloudflare like this:
This ensures maximum security.
No More Worries for 15 years!
The best part of this solution is the peace of mind that comes with knowing that you never again need to worry about Let’s Encrypt or AutoSSL as long as you continue to use the Cloudflare DNS servers. Since Cloudflare has the best DNS servers, this is a good thing! And you don’t need to be concerned about your web host making a mistake when renewing your SSL and disabling your site.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Ashikur Rahman says
I am on shared hosting. Can you make a tutorial on installing cloudflare ssl certificate on Cpanel?