Last Updated on July 11, 2022
The website is one of the media for exchanging information, which can be accessed through the internet. So, in technical terms, website speed and security are the main requirements. However, other than the website load speed should be fast, the connection between the browser and server must also be encrypted to maintain the security of any sensitive data. The security of this connection can be seen from the use of the HTTPS protocol which is equipped with a valid SSL certificate.
The more sophisticated the security technology is, usually will be more complex. Therefore, in this article, we will discuss the complexities of using AutoSSL and its relevance to CDN.
Day by day, passed with your normal server, SSL, and website conditions. But suddenly there was a notification in your email. Your site’s CPanel sent an email about an SSL certificate that cannot be renewed automatically.
The SSL certificate for “indowhiz.com” has not been renewed. You must take action to secure this site.
To upgrade to an EV or OV certificate, navigate to the “SSL/TLS Wizard” interface.
This is a serious problem, then what should we do? Okay, Before fixing this problem, I briefly explain what might have happened. Therefore, you may avoid the same problem in the future.
SSL certificate
SSL (Secure Sockets Layer) is a technology to encrypt communications between client browsers and web servers.[1] This is used to maintain the security of sensitive data, so it is not easily stolen by irresponsible parties.
Currently, a newer and safer version is called TLS (Transport Layer Security). TLS is similar to SSL in terms of the security certificates. However, it is often called SSL because this term is better known by the public. So, if you are going to buy and/or use a new SSL certificate, this is actually the latest version of TLS.[2]
If a site already has and uses an SSL certificate, the site address can use HTTPS (and there is a padlock icon next to the address). So, HTTPS (HyperText Transfer Protocol Secure) is one of the markers that the site has a security layer through its SSL certificate. Besides, the SSL certificate also provides information about the certificate issuer, details of website names, certificate expiration dates, and several other public information. You can see this information through the padlock icon in the browser address bar, as in Figure 1 above.[2]
Automatic renewal of SSL certificate
Commonly, 15-30 days before the validity period of the SSL certificate expires, the SSL provider (for example Let’s Encrypt, Comodo, or similar) will try to automatically renew the SSL using the AutoSSL feature. However, if this is not possible, or there is a technical error, an email notification will be sent to the site owner. If that happens, then you have to renew the SSL certificate manually.
CPanel, AutoSSL, and CDN
On the AutoSSL status page on CPanel, you can see whether an SSL certificate can be renewed automatically or not. However, if it cannot be updated automatically, the status will be changed to “The certificate will not renew via AutoSSL because it was not issued via AutoSSL
“.
You may think that you could manually “reissue” the SSL certificate, which might work. However, if that does not work, then, you may encounter another error message as follows:
There was a problem processing your request
- Error issuing certificate
- Failed to issue certificate
- Updating challenge for indowhiz.com: acme: error code 403 "urn:ietf:params:acme:error:unauthorized": Incorrect TXT record ....
So, what happened here?
When renewing an SSL certificate, the AutoSSL provider requires IP address validation from the domain. In a simple concept, the public IP address of your domain will be compared with the IP address connected to CPanel.[3]
However, if you use a CDN like Cloudflare or similar, then the public IP address of your domain might change using the IP address given from CDN.
This will prevent AutoSSL from seeing the real IP address of your server. As a result, AutoSSL cannot validate and renew SSL certificates, due to differences in IP addresses.
Resolve the AutoSSL and CDN problems
Before you start trying to solve this problem, do a backup of your entire site!
Then, you need to choose one of the solutions here. Each solution has its pros and cons. So, convince yourself before choosing. TLDR; see the recommendation section.
Option 1: disable CDN and use AutoSSL
If you only use CDN as a DNS Manager, or you only target local visitors, then this might be a reasonable solution. You can simply disable/pause the CDN that you are currently using, and can run AutoSSL again.[4]
Pros:
- you can use AutoSSL to automatically renew SSL certificates from your SSL provider.
Cons:
- lost benefits provided by CDNs (such as content distribution, additional security, cache, minification, etc.);
- use all of your own server resources to handle your visitors.
Option 2: Deactivate the CDN when renewing the SSL certificate
If you use a proxy CDN like Cloudflare, which requires you to change the nameserver, then this method can be used. This method, simply put, disables/pauses the CDN, then updates the SSL until finished, and after that, re-enable the CDN.[4]
Pros:
- can use your SSL provider from your CPanel;
- SSL certificate creation is simple, just click and click.
Cons:
- can not activate and use AutoSSL to renew SSL automatically;
- periodically, this manual method should be done a few days before the SSL certificate period expires (commonly, the active period is only 90 days).
Option 3: rely on encryption only from CDN to the browser
Generally, CDNs have free SSL certificates when communicating with visitors’ browsers. Your server will not be directly exposed by the CDN. If your site does not process sensitive data (such as logins, user sessions, etc.), you could just turn off encryption between your servers and the CDN.[4]
If you use Cloudflare, you can go to the SSL/TLS
settings to change the encryption mode to “Flexible
” as seen in Figure 2.[4]
Pros:
- the simplest setting;
- no need to install an SSL certificate;
- data transfer from your server to CDN is faster because of no encryption.
Cons:
- your site will immediately lose its SSL certificate when Cloudflare is disabled (even only temporary);
- low-security level, because the connection between your server and Cloudflare is unencrypted. Making several third parties such as ISPs, government, etc. are possible to be able to read any unencrypted data;[5]
- Technical errors on your server can cause other problems such as Mixed Content, Redirect Loops, or inaccessible sites;[6]
- strongly not recommended if your site processes sensitive data (such as logins, user sessions, etc.).[7]
Option 4: Use the origin SSL certificate provided by CDN
Technically, this option is far better than the previous option which only relies on encryption between the CDN and the visitor’s browser. Because This option still provides security between your server and CDN, as well as between the CDN and the visitor’s browser. Also, this option may help you with “Error 525: SSL handshake failed
” if you use Cloudflare with Full (strict) encryption mode.
Simply put, you only need to install the SSL certificate that has been provided by the CDN. To simplify the explanation, here I will give an example using Cloudflare CDN. Because the Cloudflare free version is the most widely used.[8]
Creating SSL certificate on CDN
The steps for creating an SSL certificate in Cloudflare are:[9]
- log in to the CDN dashboard, then go to the
SSL/TLS
menu, select theorigin server
tab; - in the Origin Certificates section, click
Create Certificate
; - select
RSA
as yourPrivate key type
; - adjust the hostname that requires SSL certificate coverage (e.g. domain
* .indowhiz.com
andindowhiz.com
); - Select the validity period of the certificate in the
Certificate Validity
section. - After completing adjustments, click
Next
. - after that, the contents of the certificate will be displayed by the CDN, and in the
Key format
section left as is containedPEM (default)
; - important! copy and save the contents of the SSL certificate displayed by the CDN in separate files (one as
OriginCertificate.crt
file and the other asPrivatekey.key
file); - After finished copying and saving, click OK.
CPanel does not support ECC Certificate, that’s why I do not use ECDSA
in step 3 above. But it is up to you if you want to try ECDSA
in another Web Panel. Then, if you found an error, you can come back to Cloudflare to create new RSA
certificate.
In step number 4, for writing hostname coverage, wildcard * .indowhiz.com
does not cover sub-domains with more than one level such as sub1.sub2.indowhiz.com
. Then make sure you write the correct hostname coverage.
Also, in step 8, it is very important to copy and save the Private key
, because after clicking OK, the Private key
will no longer be shown on the CDN. If you don’t have time to copy, or lose the Private key
, then you need to create an SSL certificate from the beginning.
SSL certificate installation on the origin server
After you have a copy of the Origin Certificate
and Private key
, then you need to install the certificate on your hosting server. This time, CPanel is an example, so maybe other control panels (Plesk, CyberPanel, etc.) look a little bit different.
Three main steps that need to be done in CPanel, are: adding a Private key
, Origin Certificate
, and installing the SSL certificate, as shown in Figure 4.
The steps to install an SSL certificate on your server (CPanel) are:[10]
- login to your CPanel, then click the
SSL/TLS
(or SSL Manager) menu, - choose
Private Keys (KEY)
, - in the
Upload a New Private Key
section, you can paste the contents of thePrivate Keys
, or by uploading thePrivatekey.key
file, - also, fill in the description section to make it easier to recognize during installation later, then press
Save
, - return to the
SSL/TLS
(or SSL Manager) menu, - select
Certificates (CRT)
, - in the
Upload a New Certificate
section, you can paste the contents of theOrigin Certificate
, or by uploading theOriginCertificate.crt
file, - also, fill in the description section to make it easier to recognize during installation later, then press
Save
, - return to the
SSL/TLS
(or SSL Manager) menu, - select
Install and Manage SSL for your site (HTTPS)
, - in the
Install an SSL Website
section, clickBrowse Certificates
, - select the origin certificate from the CDN you just added, then click
Use Certificate
. It is a lot easier to find the certificate if you have written the descriptions in steps 4 and 8 above, - then click
Install Certificate
.
The SSL installation in other web panels may be different, but the basic is the same. For more details, please read the respective web panel documentation about installing the SSL certificate. Besides, some other web panels might require a Root Certificate from the CDN. Cloudflare also provides it on its support page, in the Origin CA root certificates section. If you have trouble, you can request assistance from your hosting provider.
After you install the SSL certificate on your website, then, don’t forget to change the SSL/TLS encryption mode to Full (strict)
. This setting is located in Cloudflare SSL/TLS
menu, as seen in Figure 3. To avoid “Error 525: SSL handshake failed
“, the Full (strict)
mode is required after installing the Cloudflare origin Certificate.
Once done, you can check the results in your website address bar. If nothing has changed, maybe you need to do a clear cache.
Pros:
- commonly, this certificate is free;
- the validity period can be more than 90 days (even Cloudflare offers an SSL certificate validity period of up to 15 years);
Cons:
- some of the steps for creating and installing an SSL certificate require technical knowledge;
- CPanel can not recognize SSL certificates and can not validate it (don’t worry, this is not a problem);
- this manual method must always be done a few days before the SSL certificate period expires.
Option 5: upgrade the CDN service plan
If cost is not a problem for you, you may upgrade the CDN plan into a higher service plan (e.g. Cloudflare Business or Enterprise). This service level allows you to add CNAME to your DNS Manager.[11]
Simply put, CDN will bypass the IP Adress used for the SSL validation process by AutoSSL. As a result, you can use AutoSSL to auto-renew and validate the SSL certificates.
Pros:
- can use AutoSSL even if using a CDN;
- can use your SSL provider from your CPanel;
- get better CDN features by using the higher service plan.
Cons:
- requires monthly operational costs to pay the CDN plan.
Recommendation
Technically, we recommend using option 4 (Use the origin SSL certificate provided by CDN). Besides being free, the validity period is very long. You might even have forgotten about AutoSSL when using it. We hope that in a few years, the latest version of AutoSSL can validate SSL certificates even though it uses CDN.
However, for companies, Option 5 (upgrading the CDN service plan) is the preferred choice. However, you should be aware that it requires operational funds to pay the CDN services.
References
- [1]VeriSign, “Everything You Need to Know About SSL Certificates,” VERISIGN. https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml (accessed Jul. 09, 2020).
- [2]DigiCert, “The Ultimate Guide: What is SSL, TLS and HTTPS?,” DigiCert. https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https (accessed Jul. 09, 2020).
- [3]cPanelMichael, “Answer on CloudFlare and AutoSSL,” cPanel Forums, Nov. 21, 2017. https://forums.cpanel.net/threads/cloudflare-and-autossl.615115/#post-2500235 (accessed Jul. 09, 2020).
- [4]J. Lim, “cPanel AutoSSL and Cloudflare causing problems?,” Caveena Solutions, Dec. 12, 2017. https://caveenasolutions.com/2017/12/cpanel-autossl-cloudflare-causing-problems/ (accessed Jul. 09, 2020).
- [5]jeffatrackaid, “Answer on ‘Are there any disadvantages to Cloudflare’s “Flexible SSL”?,’” Stack Exchange: Webmaster , Aug. 11, 2014. https://webmasters.stackexchange.com/questions/67930/are-there-any-disadvantages-to-cloudflare-s-flexible-ssl (accessed Jul. 09, 2020).
- [6]J. H. Dom, “Why flexible SSL mode is not the best choice,” Cloudflare Community, Feb. 20, 2019. https://community.cloudflare.com/t/why-flexible-ssl-mode-is-not-the-best-choice/63531 (accessed Jul. 09, 2020).
- [7]J. H. Dom, “SSL/TLS app Settings,” Cloudflare Community, Jan. 2019. https://community.cloudflare.com/t/ssl-tls-app-settings/53186 (accessed Jul. 09, 2020).
- [8]Datanyze, “Market Share Category: Content Delivery Networks,” Datanyze, 2020. https://www.datanyze.com/market-share/cdn–10 (accessed Jul. 09, 2020).
- [9]Cloudflare, “Managing Cloudflare Origin CA certificates,” Cloudflare Help Center, May 19, 2020. https://support.cloudflare.com/hc/en-us/articles/115000479507 (accessed Jul. 09, 2020).
- [10]Digital Candy, “Cloudflare origin CA free SSL installation guide on Godaddy,” Digital Candy, Oct. 07, 2019. https://www.digitalcandy.agency/website-tips/cloudflare-origin-ca-free-ssl-installation-on-godaddy/ (accessed Jul. 09, 2020).
- [11]Hostragon, “cPanel AutoSSL and Cloudflare SSL,” Hostragon: Knowledgebase. https://billing.hostragon.com/knowledgebase/158/cPanel-AutoSSL-and-Cloudflare-SSL.html?language=english (accessed Jul. 09, 2020).
Cover image by pikisuperstar on freepik