CloudFlare Origin CA on Raspberry Pi Apache

Immediately after reading CloudFlare’s blog post on the introduction of Origin CA, I tried it on my Raspberry Pi Apache. Read on for the details.

Introduction

I have been using Let’s Encrypt SSL with automated renewals all worked out on my Pi 2 so it was all good for me and CloudFlare’s Strict SSL was enabled. CloudFlare introduced the Origin CA feature and with my eagerness to try, I tried it without much delay. Read more about CloudFlare Origin CA if you do not already know.

Creating the certificate and key

I followed the instructions on CloudFlare’s blog post and did the following:

  1. Let CloudFlare generate a private key and CSR.
  2. By default, *.leowkahman.com and leowkahman.com have been added into the list of hostnames. I added two more entries into that to cover my other domain.
  3. I saved the certificate¬†as cert.pem. Then saved the private key as privkey.pem. I named them as such to imitate how Let’s Encrypt Python script names them.
  4. I then copied these two files into my Raspberry Pi.

Configuring Raspberry Pi Apache 2

The following lines must be added into your virtual host configuration and I am assuming you have mod_ssl enabled:

SSLEngine on
SSLCertificateFile /your_full_path/cert.pem
SSLCertificateKeyFile /your_full_path/privkey.pem

Substitute your_full_path accordingly of course.

Reload Apache configuration: sudo service apache2 reload

Turn on CloudFlare Strict SSL

Crypto > SSL, set it to strict.

Your website should still work as before. :)

Automating renewal

I attempted to automate the renewal process but it seems CloudFlare does not have ARM packages.

W: Failed to fetch http://pkg.cloudflare.com/dist... Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)
E: Some index files failed to download. They have been ignored, or old ones used instead.

Nevertheless, they do issue extremely lengthy (up to 15 years) certificates. I guess the only justification to automate is to have short term certificates so that the effects of a compromised certificate is likely to be less damaging versus a long term one.

How does this compare to Let’s Encrypt

I briefly tested on WebPageTest. I was surprised to see marginally quicker TTFB than when I was using certificates by Let’s Encrypt. It looks like I will now be using CloudFlare’s Origin CA.