Custom Domain with WordPress & Cloudflare

Continued from [OBSOLETE] How to get a custom domain from Freenom with SSL and CloudFlare - #8 by Senor_e474

Hi, thanks very much for the reply.

Background:
So far I have registered a .ml domain with freenom, updated the freenom dns to set the nameservers to Infinity’s nameservers. This worked fine with Wordpress running on http.

When you add a website to Cloudflare, step 2 prompts you to set up the DNS records, which was where I was struggling.

I got Cloudflare working by adding:

A record:
name: abcdef.ml
value: IP4 address (4 byte dotted quad) from account information, e.g. 123.234.x.x

CNAME record:
name: www
value: A record name part, e.g. abcdef.ml

This got me to the point where Cloudflare would list its nameservers. I went back to freenom and changed the nameserver settings from the Infinity’s to the ones given by Cloudflare. This seems to work OK for http, but I am struggling to set up https (with Wordpress, of course).

I tried setting up a self signed certificate on Infinity, and installing it, but that didn’t get recognised by the Really Simple SSL plugin. I then tried setting up the Free Lets Encrypt SSL certificate, and adding the “_acme challenge” CNAME record in Cloudflare’s DNS, but that didn’t work either. I’ve got as far as cloudflare returning a 526 “Invalid SSL certificate” when I try and visit via https.

At this point I’m not sure how to get Wordpress working with SSL, or if I’ve actually set up my Cloudflare DNS record correctly, or just happened to luck out with an accidentally working configuration.

Edit: I just went in to Cloudflare and changed the “SSL/TLS Encryption Mode” from “Full (strict)” to just “Full”, and I get a grey padlocked default site “Let’s Make Something Awesome”. So I guess https is now working, but I still have to figure out how to get Wordpress up and running with SSL.

I’m going to give setting up Wordpress and SSL another go, I assume I need to get the Really Simple SSL plugin to work, hopefully it was a caching issue. It’s definitely using the Lets Encrypt SSL certificate (looking at the certificate details in Chrome), but I hope it’s just a matter of getting Wordpress and the SSL plugin happy.

Hello!

For SSL, there are a few things that you can do.

You can use “Flexable” SSL on Cloudflare, and NO certificate on InfinityFree

You can use “Full” SSL on Cloudflare, and ANY SSL certificate on InfinityFree (Self-Signed, GGSSL, etc)

You can use “Full (Strict)” SSL on Cloudflare, and use GGSSL or LetsEncrypt on InfinityFree

(GGSSL = GoGetSSL)


As for SSL on WordPress, make sure the site loads over HTTPS first, and if it does, you can ignore all the warnings from the ReallySimple SSL plugin and just activate it.

Also, can you please share you domain name so I can check and see if everything is setup correctly?

Thanks!

4 Likes

Hi Greenreader9,

Thank you very much for your detailed reply.

I went ahead and (re)installed Wordpress using an https: version (I got a warning about it not recognising the SSL domain, or something similar, but went ahead anyway). Wordpress installed just fine, and the https: version came up. The url is e474.ml btw.

I then went into wp admin (via the Softaculous panel), and added the Really Simple SSL plugin. When I activated it, I got a warning about it not being able to check the SSL certificate, but I clicked the enable anyway button (or similar named button), and it worked, and seemed quite happy.

At the moment Really Simple SSL say “15% SSL is activated on your site. You still have 10 tasks open.” So it looks like there is still some fixup to do, but nothing that gets in the way of SSL.

I guess I have a few remaining unknowns.

  1. It’s definitely using a Lets Encrypt certificate, but that will only be good for 3 months, so I’m not clear on where/how to renew it (more on this below, though).

  2. I saw that I should be using the “Main domain” fully qualified domain name from the Account details tab, instead of the IP4 address, I’ll try changing this over (in Cloudflare’s DNS record), as this sounds like it might be a better long term solution, especially if the account gets moved to another Infinity IP address. Probably I will try changing this first, and let everything settle down before doing anything else, as I don’t want to complicate any trouble shooting.

  3. I would actually prefer to go the self signed route, as it lasts for 10 years, not 3 months, but I’m not clear on what I was doing wrong for this (I appreciate it might be a caching issue). Presumably I can delete the CNAME _acme challenge setting, and try again with the generate/install self signed certificate steps. I assume there might be some caching issues, so won’t try this until step 2 is in place.

Thanks again for the help!

  1. Don’t change the Cloudflare DNS from the IP to the main domain. Your domain won’t change IP addresses. If you already did change it, just leave it.

  2. For self-signed, do the following

  • In the client panel, generate a certificate
  • Change your Cloudflare SSL mode to “Full”
  • Install the certificate in the InfinityFree control panel
1 Like

Hi Greenreader9,

I got SSL working with Lets Encrypt - when I visit my Wordpress setup on my website, and click on the padlock, it shows issued by E1/Lets Encrypt. I wanted to move over to a self signed certificate (as it lasts longer), so I deleted the CNAME record on Cloudflare that contained the “_acme” challenge info. This was a couple of days ago, so I was hoping that the Lets Encrypt info would expire (as there was nothing to point to the Lets Encrypt ACME challenge - but I’m not certain this is how it actually works). I now have 2 Self Signed SSL certificates from Infinity, I think both are installed, but they are yet to show up as the certificates for my Wordpress website. Will the Lets Encrypt certificate be used until it expires (roughly 3 months from now), even though I have removed the _ACME challange on Cloudflare’s DNS, or will things switch over to using my Self Signed certificates (sooner or later)?

Just asking before this topic closes.

Please show proof to confirm.

This will not disable Lets Encrypt certificate. You need to remove it from the control panel. Installing self-signed cert over it will allow you website to switch over

2 Likes

Hi KangJL,

Here's a screen grab from the "Free SSL Certificate" area of the Account area:

Screenshot_20221118_205002

I think I already managed to delete the Lets Encrypt certificate (at the same time as I deleted the _acme challenge CNAME record), but I am not sure where I should be checking this on Infinity (I’m a new user).

Hello

You can only install one certificate at a time, in the control panel.

The certificates in the client area show the certificates you have generated, not the certificates you are using. Additionally, the CNAME record is only used to validate the certificate, you can delete it after the certificate is issues and nothing will change.

In the client panel (screenshot you shared), select a certificate and follow the steps to install it. Once it is installed, make sure that Cloudflare SSL is set to “Full”. It can take 24 hours for certificate information to update on your device.

4 Likes

That’s the certificate from Cloudflare. Our Let’s Encrypt certificates are from “R3”, the “E1” system is currently a tech preview for select partners, which includes Cloudflare but not us.

Cloudflare provides the certificates for their Universal SSL feature, and they are currently using different SSL providers, including Let’s Encrypt. So even though the certificate doesn’t show up as “Cloudflare” in our checker doesn’t mean it’s not provided by Cloudflare.

When using Cloudflare’s proxy on your site, visitors will connect to Cloudflare’s servers, not ours. This means that you (and other visitors) will see the certificate provided by Cloudflare in the browser. The certificate installed on your hosting account is only used to encrypt the traffic between Cloudflare and your hosting account, which is invisible to visitors.

And that’s good, because Self Signed certificates are not trusted, so using those directly results in an invalid SSL warning. But they are great with Cloudflare because it lets you use Full SSL with a certificate that’s valid for a long time.

3 Likes

OK, I think I see.

The Cloudflare issued SSL certificate (from Lets Encrypt) gets auto-renewed by Cloudflare, so I don’t have to take action to renew it every 3 months. I shouldn’t worry about the Lets Encrypt certificate I created on InfinityFree, because it’s not used anyway.

The self signed SSL certificate (presumably the newest of the 2 I created) gets used between InfinityFree and Cloudflare (so that traffic is encrypted). It lasts for 10 years, so I don’t have to worry about renewing it until 2032.

Is there any way to delete the unused self signed SSL certificate, or should I not worry about it? Is there any way to see which self signed certificate is actually in use?

Thanks for the help, it looks like I am good to go with creating content!

Yes, that’s it! You don’t need to worry about certificate renewal for the foreseeable future.

Once an SSL order went through, it’s no longer possible to delete it.

If you want to check which certificate is in use, you can do so by comparing the SSL certificate text present in the SSL/TLS menu in the control panel to the one matching the client area.

But I wouldn’t worry about it. You have two working certificates and are using one of them. Everything works and should just keep working, so you don’t need to look at it again for the next 9 years and 11 months.

3 Likes

Great, I think this counts as done!

Thanks again for the help.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.