Free Wildcard SSL Using Forge + Cloudflare

Securing sites with SSL used to be a headache. However, in the last few years it has become infinitely easier (and cheaper) to secure your site. Forge has always had support for easily installing SSL certificates, and even offers integration with LetsEncrypt to install free SSL certificates.

However, I personally prefer to use Cloudflare, another service that offers free SSL certificates, as well as a variety of other free and paid services that are useful for web developers. I prefer Cloudflare because:

  • Cloudflare doesn’t require any renewal process to ever run on my server. LetsEncrypt renewals must run on my server at least every 3 months and that’s just one more thing that sometimes can (and does) go wrong.
  • Cloudflare supports wildcard sub-domains.

Creating The Site

First, create a site with your desired domain in Laravel Forge:

This will create the proper Nginx configuration needed to serve this site as well as place a standard PHP information page in the site’s directory. Once the site has been created, you can install a Git repository:

Once the repository is installed, it’s time to configure Cloudflare.

Configuring Cloudflare

Of course, before continuing you will need a Cloudflare account and a domain name you want to manage on Cloudflare. In addition to managing your SSL, Cloudflare will also be the place you manage the DNS records for your site, so you will need to point your domain’s nameserver records to point at Cloudflare’s nameservers:

Once you have done this, add A records for your domain in Cloudflare’s DNS manager. The A records should point to your Forge server’s IP address. For this example, I am going to add a root A entry as well as an entry for the “www” subdomain:

Once the DNS has been configured, you may enable SSL on the Cloudflare’s “Crypto” tab. First, let’s set the SSL option to “Flexible”:

Once the certificate is active, you should be able to navigate to your domain and see a green lock in your browser indicating the request was secured. Great! Next, let’s talk about a few caveats and things you should know.

Configuring Full Encryption

Cloudflare’s “flexible” SSL mode will get you a green lock in your browser; however, traffic between Cloudflare and your server is still unencrypted. The only encrypted part of the request is the segment between your user’s browser and Cloudflare’s servers. In order to encrypt the entire request cycle we can use Cloudflare’s “Full” encryption mode.

First, click the “Create Certificate” button in the “Origin Certificates” section of Cloudflare’s “Crypto” tab. The default options on the resulting modal window should be sufficient:

After clicking “Next”, you will be presented two large text blocks: one for the private key and one for the certificate. Copy both of these text blocks and head back over to Forge.

In Forge, we will install this certificate and key using the “Install Existing Certificate” option under the “SSL” tab of Forge’s site management panel:

Once the certificate is installed and activated in Laravel Forge, you should activate the “Full” SSL mode on Cloudflare’s “Crypto” tab:

Now your requests are fully encrypted all the way to your server! Origin certificates generated by Cloudflare are valid for 15 years, and may easily be re-issued via the Cloudflare dashboard.