How to Use Cloudflare Origin Certificates with Apache2 on Ubuntu Linux

This post shows students and new users steps to create Cloudflare origin certificates for use with Apache on Ubuntu Linux. If you really want to enhance your server security using Cloudflare, make sure to use its Full SSL (Strait) SSL/TLS and Origin Certificate with your setup.

Using Cloudflare’s origin certificate, you can create an end-to-end SSL/TLS encryption between both your servers and Cloudflare proxy servers thus making sure that all connections to your servers are encrypted.

You can create a free certificate signed by Cloudflare to install on the origin server, and because the certificate is free and provided by Cloudflare, you can choose a longer validation period — which can be set to up to 15 years, and the ability to include all your subdomains with a wildcard *.example.com.

We showed you how to do that with Apache2 HTTPS server.

When you’re ready to setup your server and Cloudflare to use Origin Certificate, follow the steps below:

How to sign up for Cloudflare

The first step in this tutorial is to sign up for Cloudflare account. This post assumes that you already have registered a domain name. If you don’t, then go and get one before continuing further.

If you already have a Cloudflare account, then skip the registration below.

Type in your email address and click Create Account.

Cloudflare WordPress setup

Once the account is created and you’ve verified your email address and logged back into Cloudflare account, click the button or link (Add a Site) to add a site to your account.

Cloudflare WordPress setup

Next, type in the domain name you have registered. Cloudflare service will help speed up and protect the site you add.

Cloudflare WordPress setup

Next, Cloudflare will begin to query your domain DNS provider for the records in the DNS table. If the domain is online, Cloudflare should find it and import the records into its DNS systems.

Cloudflare WordPress setup

After that, select the plan you want to use for the site. For this tutorial, we’re going to be using Cloudflare free plan.

Cloudflare WordPress setup

When you’re done, you should see two nameservers provided to you by Cloudflare. What you need to do is logon to your domain provider’s portal. When you have your domain and replace the nameservers with the ones Cloudflare gives you.

For example, our example.com site is hosted with Google Domains. Logon to your Google Domains account and select to use custom nameservers.

You’ll have to option to enter the nameservers provided to you by Cloudflare. Save your changes when you’re done.

Cloudflare WordPress Setup

Once you’ve saved your custom nameservers changes, go back to your Cloudflare account and wait for Cloudflare to see the changes. Depending on your domain provider, it makes take up to an hour for the DNS changes to be visible on Cloudflare.

Once all is ready, you’ll see your site status as Active.

When everything is done, you should also see your Cloudflare account with DNS entries as shown below. Your DNS records might have more entries then the two below.

These two entries are the most important for running your website.

Cloudflare WordPress Setup

After that, click on Crypto tab and choose to enable Full (strict) SSL. This should turn on SSL for the site.

Cloudflare WordPress Setup

While still on Crypto tab, scroll down to Origin Certificates. Then click the button to create certificate.

Use the free TLS certificate signed by Cloudflare to install on your origin server. Origin Certificates are only valid for encryption between Cloudflare and your origin server.

Next, choose to Let Cloudflare generate a private key and a CSR for the domain. Click Next.

WordPress Cloudflare

Then copy a paste these into a text file on onto your server.

On Ubuntu, run the commands below to create the Private key, Certificate and Origin pull files (3 files in total). Copy and paste each content into the respective file. and save.

For the Private key file. run this, then copy and paste the private key given to you into the file and save.

sudo nano /etc/ssl/private/cloudflare_key_example.com.pem

For the certificate file, run this and copy and paste the certificate content into the file and save.

sudo nano /etc/ssl/certs/cloudflare_example.com.pem

You’ll also want to download Cloudflare Origin Pull certificate. You can download that from the link below:

Set up authenticated origin pulls · Cloudflare SSL docs

Zone-Level — Cloudflare certificate

Under Zone-level certificate, expand the certificate button, the copy its content.

Next, run the commands below to create a origin-pull-ca.pem file, then paste the certificate content into the file below and save.

sudo nano /etc/ssl/certs/origin-pull-ca.pem

Once done, you should have three files. The cloudflare_key_example.com.pem, cloudflare_example.com.pem and origin-pull-ca.pem.

We will use these file in Apache config below

After saving the key, certificate and origin pull certificates files. Continue below.

Still on the Crypto page in your Cloudflare account, enable Always use HTTPS and you may also change settings for HSTS but not necessary.

Next, turn on Authenticated Origin Pulls and Opportunistic Encryption, and continue.

Then, turn on Automatic HTTPS Rewrites and continue.

Next, move to the Page Rules tab. then create a new rule for the site. then type URL and choose Always Use HTTPS

example.com/*

Alwyas Use HTTPS

Save your settings and you’re done with setting up Cloudflare.

How to configure Apache with Cloudflare

Finally, configure Apache site configuration file for your website. This file will control how users access your website content. Run the commands below to create a new configuration file called example.com

sudo nano /etc/apache2/sites-available/example.com.conf

Then copy and paste the content below into the file and save it. Replace the highlighted line with your own domain name and directory root location.

Also make sure to reference the certificate files created above during Cloudflare setup.

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
</VirtualHost>

<VirtualHost *:443>
     Protocols h2 http/1.1
     ServerAdmin [email protected]
     DocumentRoot /var/www/html/example.com
     ServerName example.com
     ServerAlias www.example.com
    
     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/cloudflare_example.com.pem
     SSLCertificateKeyFile /etc/ssl/private/cloudflare_key_example.com.pem
     SSLCACertificateFile /etc/ssl/certs/origin-pull-ca.pem
     SSLVerifyClient require
     SSLVerifyDepth 1

     <Directory /var/www/html/example.com/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Save the file and exit.

How to enable VirtualHost block with Apache

After configuring the server block above, enable it by running the commands below

sudo a2ensite example.com.conf
sudo systemctl restart apache2.service

Then open your browser and browse to the server domain name.

That should do it!

Conclusion:

This post showed you how to enable Cloudflare origin certificate to enhance and secure the connection between Cloudflare’s server and your own servers. If you find any error above, please use the comment form below to report.