SSLFORFREE and Cloudflare Domain Certificate not Working

I’ve got a domain which I got from somewhere else and transferred to Cloudflare. I’ve set up all the proper forwarding records, and I’ve activated Cloudflare’s built in free certificate. This forces all my traffic successfully to HTTPS.

However, my InfinityFree hosting server still holds the self signed certificate. I have generated a private key & CSR from the InfinityFree CPANEL and used that to successfully generate my final certificate from SSLFORFREE (using Cloudflare to verify the domain TXT records).

So what am I missing? I have not found a way to reach out to management or any moderators.
Any help would be greatly appreciated!

My site is

Thank you in advance IF community
(I’ve read through all documents on this site about these issues)

I’m currently seeing this

if there is something else in your browser:

Please note that changing SSL certificates can take a few days to take effect. Browsers (notably Google Chrome) tend to cache SSL certificates, so your browser may still show errors long after the valid SSL certificate has been installed.

You can verify this by checking your website in Private Browsing mode (which circumvents caches) or by using a third party SSL checker service.

If the SSL checkers say your SSL certificate is valid, but you still don’t see a green lock, you need to wait for your browser’s cache to expire.

I understand that my Cloudflare SSL certificate is valid, but shouldn’t I also have a certificate for from SSLFORFREE that is valid?

If you’re using Cloudflare, then Cloudflare already provides you with a valid SSL certificate. You don’t need an extra SSL certificate when you’re using Cloudflare, and Cloudflare doesn’t let you upload custom certificates unless you have a very expensive plan.

Great information @Admin ! Thank you. So, from a security perspective, Cloudflare will blindly trust a site with an invalid SSL certificate and give them a valid one for free?

Doesn’t this make Cloudflare’s certificates untrustworthy?
(question has been solved)

Yes, that’s a good observation!

Cloudflare doesn’t exactly “blindly trust” sites. They still require the site to point to their servers first, which means Cloudflare verifies the website owner just as well as Let’s Encrypt does.

But if someone changes the backend IP address, or somehow intercepts the connection and serves another SSL certficate, there is no way to tell for a website visitor.

That said, this behavior is configurable with Cloudflare. But the default mode is Flexible, which means the connection between Cloudflare and the backend server is completely unprotected. Having it use any SSL certificate, or use only valid SSL certificates, needs to be configured manually.

Having a site secured by Cloudflare is better than having no security at all, but you can never be sure that the connection to the website is fully secure along the way. So it does make Cloudflare sites less trustworthy. But very few people ever pay attention to the certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.