Immediately after reading CloudFlare’s blog post on the introduction of Origin CA, I tried it on my Raspberry Pi Apache. Read on for the details.
I have been using Let’s Encrypt SSL with automated renewals all worked out on my Pi 2 so it was all good for me and CloudFlare’s Strict SSL was enabled. CloudFlare introduced the Origin CA feature and with my eagerness to try, I tried it without much delay. Read more about CloudFlare Origin CA if you do not already know.
I followed the instructions on CloudFlare’s blog post and did the following:
The following lines must be added into your virtual host configuration and I am assuming you have mod_ssl enabled:
SSLEngine on
SSLCertificateFile /your_full_path/cert.pem
SSLCertificateKeyFile /your_full_path/privkey.pem
Substitute your_full_path
accordingly of course.
Reload Apache configuration: sudo service apache2 reload
Crypto > SSL
, set it to strict.
Your website should still work as before. :)
I attempted to automate the renewal process but it seems CloudFlare does not have ARM packages.
W: Failed to fetch http://pkg.cloudflare.com/dist... Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)
E: Some index files failed to download. They have been ignored, or old ones used instead.
Nevertheless, they do issue extremely lengthy (up to 15 years) certificates. I guess the only justification to automate is to have short term certificates so that the effects of a compromised certificate is likely to be less damaging versus a long term one.
I briefly tested on WebPageTest. I was surprised to see marginally quicker TTFB than when I was using certificates by Let’s Encrypt. It looks like I will now be using CloudFlare’s Origin CA.