It looks like these days you can still do the exact same thing, but instead of Cloudflare renewing your cert every 1 year, they do it every 3 months...which is what happens when you just use NPM and Let's Encrypt in the standard way. It's nice to just have the one wildcard cert, though. By the way, this was a fantastic video, and you really did a great job thoroughly explaining how to do this in a way that is easy to follow, even though Cloudflare changed their UI substantially.
The disadvantage is that this does not work for the MX server. It would damage the reputation of the domain if it were to be associated with Cloudflare's IP addresses. MX is a very sensitive topic. From a data protection point of view, this is also questionable, as a supposedly encrypted TLS/SSL connection would be broken open again with a certificate from Cloudflare, personal telecommunications data would be processed in the USA or elsewhere and you would end up in a lot of trouble.
I just followed the instruction in the video and my Chrome says "Your connection is not private". Because the SSL certificate generated by Cloudflare for 15 years is not trusted :) This cannot be a replacement for the LetsEncrypt for me. In the video you said proxied or not doesn't matter but actually it does. When you enabled proxy, CF's trusted certificate generated for a year will be used automatically for your domain. If you disable it, NPM will use your custom certificate instead and you will get the untrusted certificate warning from the browser.
Hi friends! I need help and I've tried the forums. Maybe someone can help me here? My problem: I have the 15 year cert. It's in my npm. It has a wildcard support. I still can't get my www site to load. Or my vtt for my virtual tabletop games. Both work perfectly fine with the letsencrypt individual ssl but as soon as I use the cloud flare DNS challenge it seems to screw them up...I don't honestly know what I'm doing with networking, I've just found the right combination of programs and code that seems to display my websites as needed, lol. I currently have a proxmox ha cluster with npm cycling to whatever machine it needs to be on. When it catches traffic from my router to its static IP, it passes the traffic through to the server, which then says there's an SSL error. Tells me my cert from cloud flare, that I can inspect, and comes from cloud flare, is certainly self signed...
Wrote out a whole comment on how to do this for Plesk, don't know if it stuck. (of course not, right?) .... Just make sure before if youre doing this for Plesk you add both cert and key to the same file in NOTEPAD++ (not normal notepad, incase it forces it to be a text file) and save that as a .pem with file type from the menu being "All Files". Add then key to Plesk by clicking on SSL on your domain's dashboard (sort of like how you would if you were gonna add Let's Encrypt cert) but choose the middle options to upload a .pem file. Upload it and you should have basic working SSL. TLDR: add both the cert and key to the same .pem file when uploading to Plesk
Спасибо, дядька! Я 4 часа промучался! Просто тупанул на ровном месте! Случайно нашел на реддите ссылку на это видео. На Unraid в NPMPlus удалось это сделать тоже! Просто проверил все как у вас, поправил в настройках DNS CF защиту (включил) и все заработало! Это все от невнимательности и недостатка знания. Ещё раз спасибо вам!
For some reason when I get it all setup, I get an Error 522: Connection timed out. I have ports 80 and 443 port forwarded through my router and also allowed through my firewall. I've also followed the additional troubleshooting provided but still no success. I've also tried this with multiple services and have had not any luck. Any ideas?
I was looking to use this for my Fortigate Firewall to configure HTTPS for administrative access. Their setup requires that I create a .CER file for import rather than having a separate .key and .pem file. This sadly didn't work for me the way that you showed it as a result. However, the video was awesome and I think it was super helpful. Thank you. I think I'll research how to do the conversion from these file formats to .CER and see if it works for me.
Does the origin server certificate you generated on cloudflare renew automatically on nginx proxy manager or do you have to manually go through the steps you outlined in the video if you happen to remember after 15 years? Lol. Great video, I’m digging through this stuff recently and this helps!
This goes to origin cert only, so no external exposure. Most of the providers will allow you to use self-provisioned ones and you can make them last even longer. Still can't see the benefit in this use case.
This is a great way to have a cert in your NGINX proxy manager reverse proxy to connect to the domain in CloudFlare's DNS and not have to deal with possible Let's Encrypt SSL issues when proxying a domain in CloudFlare
Yeah but for examle i try to use cloudflare certificate for wordpress website, if web socket is not opened then i see ssl trust error. What’s the websocket and why needed? Looks like İt’s needed for wordpress because if i did not select then ssl is not working
In npm when creating a proxy host there the "scheme option" if i set it to https cloudflare stops connecting. It works if i set it to http. I have my ssl cert installed and set to force https. Will setting the scheme to http affect the ssl and security?
Hello , thank you for ur video , im using a normal certificate in my server , and i use also cloudflare , so i can remove this normal certificate and use cloudflare's and everything will work without even generating another certification on my local server ?
Im new to all this. My question is can I create one key and pem file and use it for every cname domain or do I need to generate a new one for each cname doman?
Does this method still works? I am not getting the browser to accept the SSL Cert of 15 years and get a warning everytime. Yes, I have nginx proxy manager and have followed this tutorial by the letter. Thanks for any feedback.
I am trying to use nginx with cloudflare and every time I change the HTTPS Port to other than the default 443 to something like 4433 it doesn't work. it only works on the default 443 port. Is there a solution for this
Hi David! great video!. I have followed the step one by one, but when I click save in add custum certificate, I see this error " Key files protected with a passphrase are not supported". Any ideas? thanks
I wouldn't advise using a 15 year SSL. This video just shows that you can create SSLs UP TO 15 years. Also, I don't use Swag. I prefer NGINX Proxy Manager.
Do you just reuse the same key/pem for each proxied host? Than just rename the certificate with a different name? Or do you create a new original cert for each proxy host?
You only need to do this for each domain. This will let you install ONE cert/pem file for all your subdomains on a single domain. The *.yourdomain.com and yourdomain.com covers any subdomain for the root domain.
Not sure if something changed, but when I do exactly this, it says my certificate is invalid, altough in the certificate tab in chrome it looks normal. And it says expiry is in 15 years, not 1 year like in the vid
Hello, Is there a way to firewall off everything apart from CloudFlare's IP's ? because your public direct IP is still open. Come to that, is there a easy to firewall for Docker/Portainer ? I've found UFW but it's ok but fiddly to use by the look of it. I've just come across Ajenti which has a firewall plugin I believe.
@@DBTechYT Ah ok, I was thinking of just allowing Cloudflare's IP's into NPM and block everything else going directly via it's public IP. I more or less do the same thing here on my proxmox server and allow only CF's IPs into 80 and 443 - (I use Pfsense) It seems to work ok and blocks my public IP into it. Other wise I can access the NPM 'working ok' page on port 80 if I connect on my public ip, I used Opera's VPN to test.
Im newb in devops. What the hell is proxy manager? Would there be a problem having cloudflare in front of VPS and having nginx setup to use these .pem and .key files by Cloudflare?
A proxy manager routes traffic on your server. Basically, ALL of your incoming internet traffic gets pointed to a reverse proxy. Then you configure your different domains and subdomains in the reverse proxy and it handles the routing of the traffic for you. If you didn't want to open ports 80 and 443 on your network, you could just use CloudFlare tunnels and eliminate the need for a reverse proxy entirely: th-cam.com/video/Q5dG8g4-Sx0/w-d-xo.html
@@DBTechYT I am aware I was trying both neither one was working. Luckily someone on your discord was gracious enough to help me and all is working now. My only issue now is no matter what I try I cannot get any of the proxy hosts to work on my cell data. 4G/5G every single person Ive asked to try including your discord user had the same error. SSL handshake failed. Do you have any ideas on this? Thanks for your awesome videos :D
Thanks David, excellent video. But do you happen to know why I got 526 error(ssl certificate didn’t pass validation.) if I put dns mode to Full(strict)? Thanks in advance
it took me a second to figure out what you meant by it dont matter if you us proxy or not then i was like o ya you had to turn it off when doing the other way but really you still want it to be on
Installing an SSL on your server encrypts the data between your server and CloudFlare. Then CloudFlare has an internet-side setup that encrypts the traffic to the rest of the world.
I didn't import anything other than what you saw in the video. Others have reported good results, so I'm guessing maybe you missed something along the way. Did you maybe mislable the .key and .pem files?
Thanks! Excellent video, I made everthing like you said but i'm getting the 522 error (connection timeout) but I can access with IP Address but now with domain... Can you help me?
@@DBTechYT ahh ok i forgot that! I have to do that in my router right? In my router I have Local and External and both with Start Port and End Port. So I have to point the IP of NGINX to port 80 and port 443?
Sooo... If you have a modem/router combo, you should be able to login there and forward those ports to your NGINX server IP. If you have a separate modem and router, you'll have to forward those ports from your modem to your router and THEN from your router to your NGINX server.
GENIOUS! The best solution I've came accross to this COMMON issue! Thanks dude!
It looks like these days you can still do the exact same thing, but instead of Cloudflare renewing your cert every 1 year, they do it every 3 months...which is what happens when you just use NPM and Let's Encrypt in the standard way. It's nice to just have the one wildcard cert, though.
By the way, this was a fantastic video, and you really did a great job thoroughly explaining how to do this in a way that is easy to follow, even though Cloudflare changed their UI substantially.
I get this error: upload failed:Certificate key is not valid.
Did you mix up your pem and key files?
Thanks for another great tutorial. I've created a custom 15-year cert and applied it! 👍
Fantastic!
Oh thank you so much. I've been going crazy getting internal errors trying to install ssl through nginx. This was so simple.
Glad it helped!
The disadvantage is that this does not work for the MX server. It would damage the reputation of the domain if it were to be associated with Cloudflare's IP addresses. MX is a very sensitive topic. From a data protection point of view, this is also questionable, as a supposedly encrypted TLS/SSL connection would be broken open again with a certificate from Cloudflare, personal telecommunications data would be processed in the USA or elsewhere and you would end up in a lot of trouble.
Thanks, completely changed from Let's Encrypt to CF certs to my setup. Works like a charm 🍻
I just followed the instruction in the video and my Chrome says "Your connection is not private". Because the SSL certificate generated by Cloudflare for 15 years is not trusted :) This cannot be a replacement for the LetsEncrypt for me. In the video you said proxied or not doesn't matter but actually it does. When you enabled proxy, CF's trusted certificate generated for a year will be used automatically for your domain. If you disable it, NPM will use your custom certificate instead and you will get the untrusted certificate warning from the browser.
Hi friends! I need help and I've tried the forums. Maybe someone can help me here?
My problem: I have the 15 year cert. It's in my npm. It has a wildcard support. I still can't get my www site to load. Or my vtt for my virtual tabletop games. Both work perfectly fine with the letsencrypt individual ssl but as soon as I use the cloud flare DNS challenge it seems to screw them up...I don't honestly know what I'm doing with networking, I've just found the right combination of programs and code that seems to display my websites as needed, lol. I currently have a proxmox ha cluster with npm cycling to whatever machine it needs to be on. When it catches traffic from my router to its static IP, it passes the traffic through to the server, which then says there's an SSL error. Tells me my cert from cloud flare, that I can inspect, and comes from cloud flare, is certainly self signed...
moving from lots of letsencrypt certs to a single free CF 15-year cert is not a bad way to start the day :)
Does not work for me.coudflare keeps saying Connection timed out Error code 522
Wrote out a whole comment on how to do this for Plesk, don't know if it stuck. (of course not, right?)
....
Just make sure before if youre doing this for Plesk you add both cert and key to the same file in NOTEPAD++ (not normal notepad, incase it forces it to be a text file) and save that as a .pem with file type from the menu being "All Files". Add then key to Plesk by clicking on SSL on your domain's dashboard (sort of like how you would if you were gonna add Let's Encrypt cert) but choose the middle options to upload a .pem file. Upload it and you should have basic working SSL.
TLDR: add both the cert and key to the same .pem file when uploading to Plesk
On Windows you can enable "show file extensions" and then delete the .txt from the file name and have the same end result.
Legend! i wanted to host my own server and your videos have helped out so much, new server up and running! thank you!
Glad I could help!
Ok so, how do I do this for my Apache2 Web server virtual hosts websites??
Спасибо, дядька! Я 4 часа промучался! Просто тупанул на ровном месте! Случайно нашел на реддите ссылку на это видео. На Unraid в NPMPlus удалось это сделать тоже! Просто проверил все как у вас, поправил в настройках DNS CF защиту (включил) и все заработало!
Это все от невнимательности и недостатка знания. Ещё раз спасибо вам!
Я очень рад, что это видео оказалось для вас полезным!
For some reason when I get it all setup, I get an Error 522: Connection timed out. I have ports 80 and 443 port forwarded through my router and also allowed through my firewall. I've also followed the additional troubleshooting provided but still no success. I've also tried this with multiple services and have had not any luck. Any ideas?
I was looking to use this for my Fortigate Firewall to configure HTTPS for administrative access. Their setup requires that I create a .CER file for import rather than having a separate .key and .pem file. This sadly didn't work for me the way that you showed it as a result. However, the video was awesome and I think it was super helpful. Thank you. I think I'll research how to do the conversion from these file formats to .CER and see if it works for me.
why not cloudflare tunnel, reviser proxy is better ?
Does the origin server certificate you generated on cloudflare renew automatically on nginx proxy manager or do you have to manually go through the steps you outlined in the video if you happen to remember after 15 years? Lol. Great video, I’m digging through this stuff recently and this helps!
This goes to origin cert only, so no external exposure. Most of the providers will allow you to use self-provisioned ones and you can make them last even longer.
Still can't see the benefit in this use case.
This is a great way to have a cert in your NGINX proxy manager reverse proxy to connect to the domain in CloudFlare's DNS and not have to deal with possible Let's Encrypt SSL issues when proxying a domain in CloudFlare
Hey man! This was really helpful. Thank you so much. ❤❤❤
Amazing work mate, Perfect
Thank you! Cheers!
Interesting that I get a certificate that is from R3 lets encrypt and not cloudflare on one of my domains, works on others. Very strange, any ideas?
Awesome! And thank you!
You bet!
This worked great! Thanks for the tip.
Looks like "Web Socket button is important" because if we dont select it then we are see certificate is not valid warning
I only use websocket on certain apps that need it.
Yeah but for examle i try to use cloudflare certificate for wordpress website, if web socket is not opened then i see ssl trust error. What’s the websocket and why needed? Looks like İt’s needed for wordpress because if i did not select then ssl is not working
Thanks for the video. It was very helpful.😀
In npm when creating a proxy host there the "scheme option" if i set it to https cloudflare stops connecting. It works if i set it to http. I have my ssl cert installed and set to force https. Will setting the scheme to http affect the ssl and security?
First comment 😘😘 thanks
🎉
Origin certificate vs using Edge certificate for proxy manager with DNS challenge?
Hello , thank you for ur video , im using a normal certificate in my server , and i use also cloudflare , so i can remove this normal certificate and use cloudflare's and everything will work without even generating another certification on my local server ?
Im new to all this. My question is can I create one key and pem file and use it for every cname domain or do I need to generate a new one for each cname doman?
Does this method still works? I am not getting the browser to accept the SSL Cert of 15 years and get a warning everytime. Yes, I have nginx proxy manager and have followed this tutorial by the letter. Thanks for any feedback.
It should. I've stopped using Nginx Proxy Manager and have just switched to CloudFlare tunnels for my remote access needs.
Do you know of any IT/pc-parts inventory web interface application in docker ????
I think Snipe-It may be what you're looking for: hub.docker.com/r/linuxserver/snipe-it
I am trying to use nginx with cloudflare and every time I change the HTTPS Port to other than the default 443 to something like 4433 it doesn't work. it only works on the default 443 port. Is there a solution for this
If you're going to change the ports to 4443, then your port line should look like this:
- 4443:443
Hi David! great video!. I have followed the step one by one, but when I click save in add custum certificate, I see this error " Key files protected with a passphrase are not supported". Any ideas? thanks
Why is your file password protected? I've never expereinced that.
@@DBTechYT dont know, when I upload mi pem and my .ley file to nginx custom certificate and click save, this message show up.
@@antoniorobles998 did you finnd the solution to this issue?
I tried using kemp and not worked :(
why would you use the same SSL certficate for 15 years, when you can automate the renewal using swag?
I wouldn't advise using a 15 year SSL. This video just shows that you can create SSLs UP TO 15 years. Also, I don't use Swag. I prefer NGINX Proxy Manager.
Do you just reuse the same key/pem for each proxied host? Than just rename the certificate with a different name? Or do you create a new original cert for each proxy host?
You only need to do this for each domain. This will let you install ONE cert/pem file for all your subdomains on a single domain. The *.yourdomain.com and yourdomain.com covers any subdomain for the root domain.
Not sure if something changed, but when I do exactly this, it says my certificate is invalid, altough in the certificate tab in chrome it looks normal. And it says expiry is in 15 years, not 1 year like in the vid
You may need to wait for things to propagate
Hello, Is there a way to firewall off everything apart from CloudFlare's IP's ? because your public direct IP is still open. Come to that, is there a easy to firewall for Docker/Portainer ? I've found UFW but it's ok but fiddly to use by the look of it. I've just come across Ajenti which has a firewall plugin I believe.
You don't want to do that. It'll prevent the rest of your internet from working properly
@@DBTechYT Ah ok, I was thinking of just allowing Cloudflare's IP's into NPM and block everything else going directly via it's public IP. I more or less do the same thing here on my proxmox server and allow only CF's IPs into 80 and 443 - (I use Pfsense) It seems to work ok and blocks my public IP into it. Other wise I can access the NPM 'working ok' page on port 80 if I connect on my public ip, I used Opera's VPN to test.
I followed the video but it still stays not secure and in the certificate it says windows does not have enough information to verify this certificate
Please try to open websocket support button on your host
Im newb in devops. What the hell is proxy manager? Would there be a problem having cloudflare in front of VPS and having nginx setup to use these .pem and .key files by Cloudflare?
A proxy manager routes traffic on your server. Basically, ALL of your incoming internet traffic gets pointed to a reverse proxy. Then you configure your different domains and subdomains in the reverse proxy and it handles the routing of the traffic for you. If you didn't want to open ports 80 and 443 on your network, you could just use CloudFlare tunnels and eliminate the need for a reverse proxy entirely: th-cam.com/video/Q5dG8g4-Sx0/w-d-xo.html
@DBTechYT Will watch video, thanks! Will be deploying my first VPS soon, lots of questions still :)
As i remember, apple devices can allow max 365 days for certificates am i right?
I have no idea. I only have 1 apple device in my house and it hasn't been charged in more than a year
I get internal error with lets encrypt and Secure Connection Failed with cloudflares ssl. What am I doing wrong?
You pick one or the other. If you use CloudFlare SSLs, don't use Let's Encrypt.
@@DBTechYT I am aware I was trying both neither one was working. Luckily someone on your discord was gracious enough to help me and all is working now. My only issue now is no matter what I try I cannot get any of the proxy hosts to work on my cell data. 4G/5G every single person Ive asked to try including your discord user had the same error. SSL handshake failed. Do you have any ideas on this? Thanks for your awesome videos :D
Thanks David, excellent video. But do you happen to know why I got 526 error(ssl certificate didn’t pass validation.) if I put dns mode to Full(strict)? Thanks in advance
FYI: I have a FireWall setup as DMZ on router, do you think this might be the issue?
Thank you this helped me lot
it took me a second to figure out what you meant by it dont matter if you us proxy or not then i was like o ya you had to turn it off when doing the other way but really you still want it to be on
I thought this only encrypted cloud flare to server (not to the browser)
Installing an SSL on your server encrypts the data between your server and CloudFlare. Then CloudFlare has an internet-side setup that encrypts the traffic to the rest of the world.
Like ever great useful and easy to implement in our Nas
Thanks from Spain
Glad it was helpful!
I tried it but did not work for me . it say certificate authority not valid . did you import any certificate into your browser ?
I didn't import anything other than what you saw in the video. Others have reported good results, so I'm guessing maybe you missed something along the way. Did you maybe mislable the .key and .pem files?
@@DBTechYT i got this error : SEC_ERROR_UNKNOWN-ISSUER. Thanks. I will try it again on fresh install.
@@umarjamil8512 Try to open Web Socket support on your host
@@okanerdem Bro fixed it . on cloudflare your records should be on proxy not dns. That fix my issue.
@@umarjamil8512 Thx for the information. I'll try. Just changed like proxy right?
Thanks! Excellent video, I made everthing like you said but i'm getting the 522 error (connection timeout) but I can access with IP Address but now with domain... Can you help me?
Do you have ports 80 and 443 forwarded to your NGINX Proxy Manager?
@@DBTechYT ahh ok i forgot that! I have to do that in my router right? In my router I have Local and External and both with Start Port and End Port. So I have to point the IP of NGINX to port 80 and port 443?
Sooo... If you have a modem/router combo, you should be able to login there and forward those ports to your NGINX server IP. If you have a separate modem and router, you'll have to forward those ports from your modem to your router and THEN from your router to your NGINX server.
@@DBTechYT I have modern modem/router but I don't understand I foward port 80 and 443 to what port? Sorry for the question i'm a beginner :P
You don't forward it to a port. You forward it to an IP address. Google "port forwarding on "
Thank you!
I get error 526 when I do this
As I've told others over the past few years, please watch this video and then get back to me: th-cam.com/video/2mdoHQlZu8M/w-d-xo.html
Wait WAHT ?
15 YEARS ?
My Raspberry Pi will die sooner then SSL expires LOL :)
LOL yeah. I didn't say it was a good idea, just that you COULD do if if you wanted