CloudFlare Origin CA on Raspberry Pi Apache
Immediately after reading CloudFlare’s blog post on the introduction of Origin CA, I tried it on my Raspberry Pi Apache. Read on for the details.
I have been using Let’s Encrypt SSL with automated renewals all worked out on my Pi 2 so it was all good for me and CloudFlare’s Strict SSL was enabled. CloudFlare introduced the Origin CA feature and with my eagerness to try, I tried it without much delay. Read more about CloudFlare Origin CA if you do not already know.
Creating the certificate and key
I followed the instructions on CloudFlare’s blog post and did the following:
- Let CloudFlare generate a private key and CSR.
- By default, *.leowkahman.com and leowkahman.com have been added into the list of hostnames. I added two more entries into that to cover my other domain.
- I saved the certificate as cert.pem. Then saved the private key as privkey.pem. I named them as such to imitate how Let’s Encrypt Python script names them.
- I then copied these two files into my Raspberry Pi.
Configuring Raspberry Pi Apache 2
The following lines must be added into your virtual host configuration and I am assuming you have mod_ssl enabled:
SSLEngine on SSLCertificateFile /your_full_path/cert.pem SSLCertificateKeyFile /your_full_path/privkey.pem
your_full_path accordingly of course.
Reload Apache configuration:
sudo service apache2 reload
Turn on CloudFlare Strict SSL
Crypto > SSL, set it to strict.
Your website should still work as before. :)
I attempted to automate the renewal process but it seems CloudFlare does not have ARM packages.
W: Failed to fetch http://pkg.cloudflare.com/dist... Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file) E: Some index files failed to download. They have been ignored, or old ones used instead.
Nevertheless, they do issue extremely lengthy (up to 15 years) certificates. I guess the only justification to automate is to have short term certificates so that the effects of a compromised certificate is likely to be less damaging versus a long term one.
How does this compare to Let’s Encrypt?
I briefly tested on WebPagetest. I was surprised to see marginally quicker TTFB than when I was using certificates by Let’s Encrypt. It looks like I will now be using CloudFlare’s Origin CA.