Cloudflare + SSL + vultr

Published 2 months ago by tiagomatosweb

Hi all,

Trying to manage SSL through these services. My cloudflare is set as SSL Full. I have created the certificate as well as private key. Then I added those via forge dashboard using "Install Existing Certificate". I've read this article https://medium.com/@taylorotwell/free-wildcard-ssl-using-forge-cloudflare-ab0ebfbf129f and seems all we need, really?

After that, I checked nginx config and it seemed was missing all the ssl setup such as certificate path, SSL port etc. Then, I manually added those. Doesn't forge do it for us automatically?

But, I'm getting this error when access using ssl. Without SSL is fine.

This site can’t be reached
staging.mydomain.com.au refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

Also, if I check the ssl on https://www.sslchecker.com/sslchecker it says "No certificates were found."

my nginx config

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/staging.mydomain.com.au/before/*;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name staging.mydomain.com.au;
    root /home/forge/staging.mydomain.com.au/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/staging.mydomain.com.au/391714/server.crt;
    ssl_certificate_key /etc/nginx/ssl/staging.mydomain.com.au/391714/server.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/staging.mydomain.com.au/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/staging.mydomain.com.au-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/staging.mydomain.com.au/after/*;

Any idea? Cheers.

aurawindsurfing

Hi @tiagomatosweb,

Ok the good news is that you are over complicating things here. In cloudflare choose flex ssl, choose to always use https, if not sure also mark to rewrite http to https.

Wait for certificate to be issued, sometimes it takes a while. Forge - do not touch anything. No need to configure ssl here. Nginx - do not touch anything as well.

Hope it helps!

ejdelmonico

All you need to do is first get an SSL cert from Let's Encrypt through you Forge server administration panel. Once verification is complete and the cert is installed on the site, go to Cloudflare and move your DNS control to them as they state in the docs. Once it is complete, just select Full instead of Flex and you are good to go. HHowever, you can't miss any of the steps or you will have to alter the process significantly. I have used this process for many sites already and it works great.

aurawindsurfing

@ejdelmonico one of the reasons cloudflare is so great is that they actually take care of that process entirely and universal certificate (shared with other sites) is free and they will renew it for you.

All you have to do is choose orange cloud in dns settings. I have tested it many times now for new and also existing sites.

One thing where it will not work is when you have subdomains, then you will have to get custom certificate.

tiagomatosweb

@aurawindsurfing I'm using full not flex.

@ejdelmonico I already have a certificate, that is why I am using existing certificate.

I assume when we use existing certificate forge does not update nginx config with the certificate/key path, is that right?

ejdelmonico

That is correct. If you use your own cert then you will have to place the correct path in the nginx config and renew it when necessary. I tend to stay away from self-issued certs but Cloudflare will accept those for full.

tiagomatosweb

@ejdelmonico gotcha! I’ve chosen this way because on the claudflare side I’ve generated the certificate as well as the key. Is not the corret way? Cheers

Please sign in or create an account to participate in this conversation.