Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

Cloudflare SSL for a VPS: A Practical Setup Without the Gotchas

By Greg Nowak. Last updated 2026-06-30.

Putting a VPS behind Cloudflare does not finish SSL by itself. It creates two separate TLS paths: the visitor-to-Cloudflare connection at the edge, and the Cloudflare-to-origin connection back to your VPS. The browser padlock only proves the first path is working. Your origin still needs the right certificate, SSL/TLS mode, redirect policy, and operating notes.

That distinction matters for business owners, operations leads, and agency teams. A weak setup can create redirect loops, broken forms, failed checkouts, confusing monitoring alerts, or a site that looks secure in the browser while the origin is not configured the way the team thinks it is. The work is not complicated, but the decisions should be deliberate.

Start with the right SSL mode

For most production VPS sites you control, use Full (strict). In this mode, Cloudflare connects to your origin over HTTPS and validates the origin certificate. Cloudflare expects the origin certificate to be unexpired, match the requested hostname, and be issued by either a publicly trusted certificate authority or Cloudflare Origin CA.

Avoid Flexible for a VPS you manage. Flexible encrypts traffic between the visitor and Cloudflare, but Cloudflare can still connect to the origin over HTTP. That is where many avoidable redirect loops and false assumptions begin.

VPS access pattern Best certificate choice Operational note
Public traffic should only pass through Cloudflare Cloudflare Origin CA Keep DNS proxied and document that direct browser access will not trust the origin certificate.
Monitoring, vendors, or staff need direct HTTPS access Publicly trusted certificate Use an ACME flow such as Certbot and test renewal.
The proxy may be disabled during maintenance Publicly trusted certificate Avoid Origin CA for hostnames that may be exposed directly to visitors.
The origin should reject non-Cloudflare traffic Origin CA plus origin protection Add firewall allowlists, Authenticated Origin Pulls, or a tunnel-based design.
A practical certificate decision matrix for VPS sites behind Cloudflare.

The clean setup for most Nginx VPS sites

For a normal Nginx site where visitors should always arrive through Cloudflare, keep the pattern simple:

  1. Keep the DNS record proxied in Cloudflare.
  2. Let Cloudflare manage the public edge certificate.
  3. Create a Cloudflare Origin CA certificate for the exact hostnames you serve.
  4. Install the origin certificate and private key on the VPS.
  5. Configure Nginx to serve HTTPS on port 443.
  6. Set Cloudflare SSL/TLS mode to Full (strict).
  7. Choose one owner for HTTP-to-HTTPS redirects.

A minimal Nginx server block can look like this:

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate     /etc/ssl/cloudflare/origin.pem;
    ssl_certificate_key /etc/ssl/private/cloudflare-origin.key;

    root /var/www/example/public;
    index index.html index.php;
}

After updating the server block, validate and reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

For agency teams, standardize the boring parts across client environments: certificate paths, server block naming, handover notes, and who owns redirects. That turns SSL from tribal knowledge into a repeatable operating procedure.

When a public certificate is the better choice

Cloudflare Origin CA is useful when the origin only receives traffic from proxied Cloudflare records. It is not meant to be trusted directly by normal browsers. If someone pauses Cloudflare or disables proxying for a hostname using an Origin CA certificate, visitors can see certificate warnings.

Use a publicly trusted certificate when your workflow needs direct HTTPS access to the VPS. That includes uptime checks outside Cloudflare, vendor access, staging patterns, emergency gray-cloud operation, or infrastructure where a load balancer connects without Cloudflare in front.

Certbot remains a practical option for Nginx-managed servers, but use the current OS-specific install instructions rather than copying an old package command from a blog post. The useful operational commands are still:

sudo certbot --nginx
sudo certbot renew --dry-run

If the HTTP-01 challenge is used, validation happens on port 80. If that does not fit your environment, use DNS-01 validation instead. DNS validation takes more setup, but it can work when port 80 is unavailable and is also the route for wildcard certificates.

Make redirects boring

Redirect loops usually appear when Cloudflare, Nginx, and the application are all trying to enforce scheme or hostname rules at once. Any one layer can be correct. Multiple layers can still produce messy behavior together.

For many business sites, the simplest model is to enable Cloudflare's Always Use HTTPS so visitor HTTP requests are redirected at the edge, while Nginx simply serves HTTPS correctly. Cloudflare notes that origin-side redirects can cause loop errors, so if you prefer origin-owned redirects, keep the Cloudflare redirect setting off and document that choice.

Forcing HTTPS will not fix mixed content. Hard-coded http:// assets, old CMS settings, fonts, scripts, and third-party embeds still need to be cleaned up. After changing SSL modes, test the contact forms, checkout, login, admin area, and any webhook or API callback that depends on the public URL.

Do not leave the origin exposed by accident

Full (strict) validates the TLS connection, but it does not automatically stop someone from hitting the VPS directly by IP address. For higher-value sites, close that gap. Options include firewall rules that allow Cloudflare IP ranges, Authenticated Origin Pulls, Cloudflare Tunnel, or other origin access controls that fit your stack.

Also track certificate ownership. Cloudflare currently says it does not send expiration notifications for Origin CA certificates, so long-lived origin certificates should still go into your own inventory or monitoring. Public certificates need renewal testing and alerting. Neither model should depend on someone remembering what was installed two years ago.

A useful handover checklist

A maintainable setup should leave the next operator with clear answers: SSL/TLS mode, certificate type, hostname coverage, expiry or renewal process, DNS proxy status, redirect owner, open ports, and any firewall or Authenticated Origin Pulls configuration. That small note can save hours during a migration or incident.

If your Cloudflare and VPS setup has grown by trial and error, a focused review usually finds the weak spots quickly: Flexible mode still enabled, duplicate redirects, an origin certificate that does not match the workflow, or a VPS that can be bypassed directly. Greg can review the configuration, clean up the decision path, and leave your team with something easier to operate.

Related on GrN.dk

  • Nagios check_http notes for practical HTTPS monitoring
  • AI Crawler Control for Business Websites: Protect Content Without Sacrificing Search Visibility
  • Cloudflare's Enforce DNS-Only Switch Makes Origin Readiness a Real Incident Drill

Need help with this kind of work?

Ask Greg to review your Cloudflare SSL setup Get in touch with Greg.

Sources

  • Cloudflare Docs: Full (strict) SSL/TLS Encryption Mode
  • Cloudflare Docs: Origin CA Certificates
  • Cloudflare Docs: Always Use HTTPS
  • Cloudflare Docs: Authenticated Origin Pulls
  • Let's Encrypt Docs: Challenge Types
Last modified
2026-06-30

Tags

  • Cloudflare
  • SSL
  • VPS
  • Nginx
  • TLS
  • Log in to post comments

Review Greg on Google

Greg Nowak Google Reviews

 

  • June 2026 WordPress Plugin Exploits Put Inventory to the Test
  • Sending Mail with Drupal: Reliable Email Setup for Business Sites
  • Cloudflare SSL for a VPS: A Practical Setup Without the Gotchas
  • Enable TLS on a Linux Mail Server Without Breaking Delivery
  • Long-running AI automations need queues before they meet real ops
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.