Avoiding SSL Errors & Downtime with CloudFlare

As a long-time, paid-up user and CloudFlare advocate, I’ve discovered several gotchas with the way that SSL certificates are issued on their platform. I’m posting this to hopefully assist others, and encourage CloudFlare to improve their interface, verification process and help documentation.

Here is a process that customers could very easily follow if they’re not careful:

1. Sign up new CloudFlare account
2. Add necessary DNS records and enable CloudFlare’s “orange cloud” for key domains
3. Change nameservers to CloudFlare’s
4. Traffic starts to flow via CloudFlare
5. Once CloudFlare detects that you’re now using its nameservers, the SSL certificate is queued for generation/verification sometime over the next 2–24 hours (24 hours for free accounts, 2 hours for Pro). This delay is not completely obvious from the interface.
6. Oops! All HTTPS traffic will display security warnings until the certificate is generated, completely breaking the site for users.

This is a significant issue that is way too easy to fall into. There are numerous forum posts over the web with these issues.

The workaround

If you want to avoid this issue then you need to either not send any traffic to HTTPS during this period (completely impractical for sites already using HTTPS), or not send any traffic via CloudFlare servers during this period. What this really looks like, is:

1. Ensure your origin server currently has a publicly-valid SSL certificate
2. Sign up for CloudFlare account and setup DNS records
3. Do NOT activate CloudFlare (the orange cloud button) on your domains yet
4. Update your nameservers to CloudFlare’s
5. Traffic will still flow directly to your origin as the nameservers propagate
6. Wait the 2–24 hours until your the Dashboard › Crypto section shows the label “Active Certificate”
7. Then activate CloudFlare (the orange cloud button)

Unfortunately there are sometimes cases where your origin does not yet have a publicly-valid SSL certificate (such as migrating from another CDN service, or moving a domain from another CloudFlare account). In these cases it can be a hassle to install an SSL cert on the origin, but until another validation process is available, this appears to be an unfortunate necessity.

Suggested improvements

Here are some things CloudFlare could do to improve this process and prevent customers falling into the same trap (hoping they’re listening):

• On a new account, clearly show that an SSL certificate has not yet been generated (no badge appears at all currently)

• Explain the 2–24 hour delays in the little “Help” drop-down

• Perhaps warn users when attempting to click the orange cloud when an SSL certificate has not yet been generated, so that they realise the repercussions and potential down-time
• Currently the SSL generation process currently doesn’t even begin until CloudFlare nameservers are in use. This is probably due to the way the validation of domain ownership works (a requirement for SSL certs). It would be great if there was an alternate method of validation, so you can prepare your account and SSL certificate prior to a nameserver switch.