Help me, please! My site is still insecure because I don't have a valid certificate on my server

I was told by someone in the Cloudflare forum that my site is still insecure as I have no valid certificate on my server and an insecure legacy encryption mode on Cloudflare, and that the latter should changed to Full Strict.

I followed the steps as best I could.

  1. I changed the encryption mode to Full Strict.

  2. I copied the contents of Orgin CA Certificate and Private Key and pasted them into Wordpad.

  3. I listed the hostnames (including wildcards) the certificate should protect with SSL encryption.

  4. I then uploaded those files to the folder on InfinityFree.

To get there, I click on the “Home” tab and then click on “File Manager.” This takes me to Monsta FTP. Then I clicked the folder containing the files to my website and uploaded the Origin CA Certificate and Private Key files there.

After step 4, I got confused.

But I’m still having problems. My website is showing the “Not Secure” notice again. It could be that I did not configure the certificate. Can someone explain to me how that is done, please.

To install a SSL certificate it’s not a matter of uploading files onto your domain’s htdocs folder; you’ll have to copy the private key and the certificate and paste them into the relative fields in the “SSL/TLS” section of the Control Panel for your domain (and you’ll also be better off removing those files from your domain’s htdocs folder, because the private key should be private anyway). But if you’ll proceed to install the Origin CA Certificate from Cloudflare it won’t let you install it because we apply additional validation on SSL certificates; so you’ll be better off using our “Free SSL Certificates” tool to generate a self-signed SSL certificate and set Cloudflare’s SSL option to “Full”. Here’s an article to help you do that:

Afterwards, you can re-enable the proxy for all the records of your domain through Cloudflare (as right now they’re set to DNS only) by editing the record and setting that grey cloud to orange and that should be it!


Hi JxstErg1,

It appears that I already have a SSL Certificate in draft. With the provider known as “Let Encrypt.” How do I get it out of draft? Find out from “Let Encrypt?” See image below.

Also, what files did you say should be removed from the htdocs folder? Was it the Origin CA Certificate and the Private Key files? Do I also need to remove the Hostnames file as well?

Yes,as @JxstErg1 said,this isn’t how the things worked.
And it looks like you are uploading .docx files.Even if you need those files,these kind of files will never work as they aren’t even plain text!

Open it and you’ll see something like “Install CNAME records automatically”.Hit it to install the CNAME records.If it doesn’t work,follow this guide to install them manually:


So, it would be better to simply use a plain text file, such as with Notepad? Right?

That’s not what I mean…
I said “even if”,so that means you don’t upload these files to ftp.
Please follow the instruction and the link I gave to you to install the CNAME records.


Now, I getting confused. Do I keep those files or discard them?

Just discard them.Don’t put them in the server as it can be used by hackers.

1 Like

Okay. I’ve deleted the Origin CA Certificate, Private Key, and Hostname files from the server. See image below.

1 Like

Please tell me if I have this set up right before I click “Save” on the Cloudflare page.

In the top image, the “Source” and the “Destination” are the only information that should be copied from this page.

In the second image, In the box under “Name (required),” is where I paste in the “Source.” And in the box under “Target (required)” is where I paste in the “Destination,” and it needs to be set to “DNS” only. So the Proxy status settings must be set to the off position.

I have the “Type” set to CNAME. “TTL” is set to Auto.

Please confirm whether or not I have this set up correctly.

That’s right! Now save it and wait a while for DNS propagation.


Okay. I added the CNAME Records to Cloudflare’s DNS, but my website is still unsecured. My free SSL Certificate that was issued by InfinityFree is still in draft and there is no link or button I can click that will get it out of draft. Should I simply delete it and click “Free SSL Certificates” to get a new free certificate?

Open that to see whether the CNAME is setup.If it still say Not ready then you could try using other ssl provider (such as Google Trust).

To me,the Let’s Encrypt intergration is a bit nasty these days…Sometimes it keeps in draft forever.
Again,you could try to switch to other providers.


Open what?

Open the certificate on draft on the “Free SSL Certificates” tool on the Client Area, which is your domain’s certificate. It should already say that the records are ready, because Cloudflare propagates them really quickly, but if it isn’t just wait a hour or so and go there again. After you saw that the DNS records are ready, scroll down and there is a “Request Certificate” button.

1 Like

Look at the images below. I believe this is what you and Frank419 were referring to. I saw the “Ready” and “Request Certificate” buttons and clicked the “Request Certificate” button.

In the second image, it says: “Your certificate has been requested and will be available shortly!”

Now just wait and refresh the page if needed.

1 Like

Okay. It seems that the free SSL Certificate has been issued. I’m going to go ahead and have it installed automatically by clicking “Install SSL Certificate Automatically.” Then in Step 6, I have to make sure my website is using HTTPS, and then force all visitors to use it. Click and expand web capture image below.

In the second web capture image, A message in green says: “The SSL certificate has been installed! It may take up to 15 minutes for it to become active.”

That’s it for now! After the SSL is working - it’ll take a while for it to be working -, you can use Cloudflare’s “Always Use HTTPS” option to force visitors to HTTPS and also set the SSL option to “Full (strict)” as if you were using a Cloudflare Origin CA certificate, as Let’s Encrypt certificates are from a valid issuer for Cloudflare. On your side you might also need to flush browser cache and DNS cache for it to be working.


Thank you for all your assistance.