Cloudflare Origin SSL certificate

How to Configure Cloudflare Origin CA for Apache

Last updated on

Author DevAnswers.coCategories Uncategorized

Cloudflare Origin CA provides a secure SSL connection between your server (“origin”) and Cloudflare. In this article we will configure an Origin cert for Apache on Ubuntu.

1. Generate Cert and Private Key

Log in to Cloudflare and navigate to the Crypto page.

Scroll down to Origin Certificates and click Create Certificate.

Cloudflare Origin certificate

In Origin Certificate Installation, the defaults should be Private Key Type: RSA with 15 years validity. Click Next.

Cloudflare Origin certificate

In the next screen, the Key format should be PEM (default) and Web Server for Installation: Apache httpd.

Copy your Origin Certificate and Private Key to a text editor for later. We will need to paste these into Linux.

Finally, click OK to close.

Cloudflare Origin certificate

 2. Copy Cert and Key to Server

Create a new directory where our Cert and Key will reside.

sudo mkdir -p /etc/cloudflare/

Using nano text editor, create a new file example.com.pem (where example.com is your own domain).

sudo nano /etc/cloudflare/example.com.pem

Now paste in your Origin Certificate from Cloudflare.  Save file and exit. (Press CTRL + X, press Y and then press ENTER)

Create a new file example.com.key (where example.com is your own domain).

sudo nano /etc/cloudflare/example.com.key

Paste in your Private Key from Cloudflare.  Save file and exit. (Press CTRL + X, press Y and then press ENTER)

3. Configure Apache

Open the Apache configuration file for your domain. This is usually located in /etc/apache2/sites-available/.

sudo nano /etc/apache2/sites-available/example.com.conf

There should already be a block for <VirtualHost *:80>. You need to add a new block underneath it for SSL port 443.

Below is an example.

/etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>

    ServerAdmin [email protected]
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =example.com [OR]
    RewriteCond %{SERVER_NAME} =www.example.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost *:443>

    ServerAdmin [email protected]
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/cloudflare/example.com.pem
    SSLCertificateKeyFile /etc/cloudflare/example.com.key

</VirtualHost>

Save file and exit. (Press CTRL + X, press Y and then press ENTER)

Test the configuration syntax for errors.

apachectl configtest

You can ignore any errors that say Could not reliably determine the server’s fully qualified domain name

If you see Syntax OK, restart Apache.

sudo systemctl restart apache2

Note, it can take 5 or 10 minutes for Cloudflare to deploy certs.

Make sure that SSL in Cloudflare is set to Full (Strict).

Let me know in the comments if this helped. Follow me @DevAnswers or read more.

1 Star2 Stars3 Stars4 Stars5 Stars 5.00 (1 votes)

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here` 

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces