Hello! There is a site on Amazon with NodeJS . Through Cloudflare the domain is attached to it. I decided to find out how best to fasten https to the site.

There are two options:

  1. Use ssl from cloudflare .
  2. Use ssl from letsencrypt .

Actually what certificate is best to use when? What are the nuances?

  • Both those and others should have descriptions on official websites with all the nuances, not? - andreymal

1 answer 1

Let's Encrypt

pros

  • Works on any domains
  • You can put an expiration update on cron

Minuses

  • Validity - three months
  • Requires the addition of an intermediate certificate

Cloudflare

pros

  • Duration - 15 years at once

Minuses

  • Works only on domains whose NS are hosted on Cloudflare
  • It works only when domain caching is enabled (orange cloud in the DNS CloudFlare). Not very convenient in the development of the site, you have to put the Development Mode in the Cache section
  • Requires the inclusion of SLL mode "Full (Strict)" in the section Crypto
  • Requires the addition of an intermediate CloudFlare certificate to the generated site certificate. Read more here.

However, from personal experience, if the domain is hosted on CloudFlare, I use the CloudFlare certificate. I got used to the minuses, and the lack of a headache with updating the certificate outweighs these minuses, in my opinion.

  • one
    “Validity period is half a year” - no, three months. And thinking to reduce to one month. And this is not a minus, but a plus :) - andreymal
  • “Requires the addition of an interim certificate of CloudFlare” - Let's Encrypt also requires, by the way - andreymal
  • @andreymal yes, exactly three months. I do not even know where half a year got out). - KAGG Design
  • @andreymal is possible. I’m Let's Encrypt got up automatically with the help of their bot, I didn’t add anything by hand - KAGG Design
  • certbot creates four files: cert , chain , fullchain and privkey . cert is the certificate itself, the chain is the intermediate one. fullchain - the union of the first two is similar to that of CloudFlare. In principle, modern browsers haw LE and without intermediate, but without it, problems occur, for example, some older androids, so it’s better to assume that LE requires an intermediate certificate (at least in the next few years) - andreymal