How to Configure Cloudflare Origin Certificate on a DigitalOcean Droplet

This guide shows you how to replace an existing Let's Encrypt SSL certificate with a Cloudflare Origin Certificate for securing the connection between Cloudflare and your origin server.

Note:
The Cloudflare Origin Certificate secures the connection from Cloudflare to your server only. Visitors will see Cloudflare’s edge certificate in their browser.

Step 1: Generate Your Cloudflare Origin Certificate

1. Log in to Cloudflare Dashboard:
   Navigate to the SSL/TLS tab and select Origin Server.

2. Create a Certificate:

   • Click Create Certificate.

   • Choose for Cloudflare to generate a private key and certificate signing request (CSR).

   • Enter your hostnames (e.g., example.com and www.example.com).

   • Set your desired certificate validity period.

   • Click Next and copy both the certificate and the private key.
     Tip: Save these securely on your local machine.

Step 2: Upload the Certificate and Private Key to Your Server

1. SSH into your droplet: ssh root@your-server-ip

2. Create a directory for your SSL files (if it doesn’t exist): sudo mkdir -p /etc/ssl/cloudflare

3. Create the certificate file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.pem

   • Paste your Cloudflare Origin Certificate into the file.

   • Save (Ctrl+O) and exit (Ctrl+X).

4. Create the private key file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.key

   • Paste your private key into the file.

   • Save and exit.

5. Secure the private key: sudo chmod 600 /etc/ssl/cloudflare/cloudflare-origin.key

Step 3: Configure Apache to Use Your Cloudflare Origin Certificate

1. Open your SSL VirtualHost configuration file:
   The active SSL vhost might be named something like: example.com-le-ssl.conf under /etc/apache2/sites-available/. Edit it using: sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf

2. Modify the SSL directives:
   Replace the Let’s Encrypt paths with your Cloudflare files. Change this section: Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem to: # Optionally, include your own SSL options (or leave it out) # Include /path/to/your/ssl-options.conf SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key The full VirtualHost block may look like: <IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/html <Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/example_error.log CustomLog ${APACHE_LOG_DIR}/example_access.log combined SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key </VirtualHost> </IfModule>

3. Save the file (Ctrl+O, Enter) and exit (Ctrl+X).

Step 4: Disable the Let’s Encrypt SSL vhost (if needed)

Check your enabled sites:

ls /etc/apache2/sites-enabled/

If you see a file such as 000-default-le-ssl.conf, disable it:

sudo a2dissite 000-default-le-ssl.conf

Ensure your updated SSL vhost is enabled:

sudo a2ensite example.com-le-ssl.conf

Step 5: Reload Apache and Verify the Certificate

1. Test Apache configuration: sudo apachectl configtest You should see “Syntax OK.”

2. Reload Apache: sudo systemctl reload apache2

3. Clear Browser Cache:
   Sometimes old certificates are cached. Use an incognito window or clear your browser cache.

4. Verify with OpenSSL (optional): openssl s_client -connect example.com:443 -servername example.com

Confirm that the certificate path shows your Cloudflare certificate paths.

Step 6: Update Cloudflare Settings

1. Log in to the Cloudflare Dashboard.

2. Set SSL/TLS Mode:
   Under the SSL/TLS tab, set the mode to Full (Strict) to ensure Cloudflare validates your origin certificate.

3. Check DNS Records:
   Ensure your A records point to your droplet’s IP address. Enable proxying to prevent SSL errors.

Final Verification

Visit your website using HTTPS (e.g., https://example.com) and inspect the certificate details in your browser’s developer tools. The connection between Cloudflare and your server should now be secured using your Cloudflare Origin Certificate.