Enabling and Disabling Cloudflare Universal SSL — A Practical and Secure Guide for Server Admins and Developers

Why is it important to set up Universal SSL on Cloudflare?

For webmasters, DevOps, and those using VPS or cloud servers, it is critical to properly configure SSL between the end user, Cloudflare Edge, and origin server. Choosing the wrong SSL mode or mishandling certificates can lead to HTTPS errors, redirect loops, or even reduced connection security.

What is Universal SSL and how does it work?

Universal SSL is a Cloudflare service that issues and installs a free, automatic TLS/SSL certificate at the Cloudflare edge for domains using Cloudflare's CDN/Proxy. This certificate encrypts end-user communications up to the Cloudflare edge, but encryption between Cloudflare and the origin server requires separate configuration.

SSL Modes

The main modes that can be selected in the Cloudflare dashboard are:

• Off: No HTTPS encryption takes place between the user and Cloudflare.
• Flexible: The user → Cloudflare connection is encrypted, but Cloudflare → Origin is established over HTTP (no TLS) — Usually not needed and may cause security issues and redirect loops..
• Full: The connection to the origin is established with TLS, but Cloudflare does not validate the origin certificate.
• Full (Strict): The connection to the Origin is established with TLS and Cloudflare checks the authenticity of the Origin certificate (the certificate must be validated by a trusted CA or Origin CA).

Why might you disable Universal SSL?

Common reasons for disabling Universal SSL include:

• Requires uploading a dedicated edge certificate to Cloudflare (usually on Business/Enterprise plans).
• Troubleshoot and test HTTPS directly on Origin without going through the Cloudflare edge.
• Using another CDN or Load Balancer that must provide its own certificate.
• Conflict between SSL/Caching settings or need to install wildcard/EV certificate on edge.

Universal SSL activation steps (Dashboard)

Activation steps via Cloudflare dashboard:

1. Log in to the Cloudflare dashboard and select the domain (Zone).
2. To the section SSL/TLS Go.
3. Set SSL mode to on. Full (Strict) Or Full Place (suggestion: Full (Strict)).
4. In the section Edge Certificates, option Universal SSL It is usually enabled by default. If it is disabled, click the Enable button.
5. Wait — Issuing and publishing the certificate on the CDN can take up to 24 hours, but is usually completed in a few minutes to a few hours.

Disabling Universal SSL (Dashboard)

Steps to follow to deactivate:

1. Enter SSL/TLS > Edge Certificates Dill.
2. In the section Universal SSL, disable button (DisableSelect ).
3. If you want to keep HTTPS uninterrupted, you must obtain and install a replacement edge certificate (custom uploaded certificate) before disabling Universal SSL (available on Business/Enterprise plans or higher).
4. Note that until the new certificate is installed, HTTPS users will encounter an error.

Disable/Enable via API (Example)

For automation, you can use Cloudflare API. First get the Zone ID and then change the Universal SSL status.

Getting Zone ID (example):

curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=example.com" \
 -H "X-Auth-Email: [email protected]" \
 -H "X-Auth-Key: $GLOBAL_API_KEY" \
 -H "Content-Type: application/json"

Changing the Universal SSL status (example):

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/universal_ssl" \
 -H "X-Auth-Email: [email protected]" \
 -H "X-Auth-Key: $GLOBAL_API_KEY" \
 -H "Content-Type: application/json" \
 --data '{"value":"off"}'

To enable the value, set it to ""on"" Change. (If using API Token, set the headers according to the Token documentation.)

Use Cloudflare Origin CA (recommended for Full (Strict))

For Full (Strict) The best way to use Cloudflare Origin CA which issues a certificate that is only valid between Cloudflare and Origin; this certificate is not suitable for direct user connections to Origin, but is secure and simple for communication between Cloudflare and Origin.

Quick steps:

• In the Cloudflare dashboard, SSL/TLS → Origin Server Go.
• Create Certificate Click , select RSA or ECDSA type, and specify the domain/Wildcard.
• Cloudflare generates the PEM file: certificate and private key Download.
• Place these files on Origin (e.g. /etc/ssl/cf_origin.pem and /etc/ssl/cf_origin.key).

Example Nginx configuration with Origin CA:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/ssl/cf_origin.pem;
    ssl_certificate_key /etc/ssl/cf_origin.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:...';
    ssl_prefer_server_ciphers on;

    root /var/www/html;
    index index.php index.html;
    ...
}

Then in Cloudflare, set the SSL mode to Full (Strict) Put it.

Installing a Let's Encrypt certificate in the presence of Cloudflare

Common Issue: HTTP-01 challenge may fail if Cloudflare is in Proxy mode (orange cloud icon). Solutions:

• From DNS-01 challenge Use (for example) certbot --preferred-challenges dns) — Required for wildcards.
• Or temporarily turn off the proxy (clear the cloud) and turn the proxy back on after issuing the certificate.
• Or from Cloudflare Origin CA Take advantage (simpler solution for Full (Strict)).

Example of issuing with certbot DNS (with Cloudflare plugin):

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com -d '*.example.com'

Troubleshooting common errors

Common errors and solutions:

• Error 525 (SSL handshake failed): Handshake between Cloudflare and Origin failed — Check that Nginx/Apache is enabled with TLS and that the Origin CA or a valid certificate is installed.
• Error 526 (Invalid SSL certificate): Origin certificate not recognized as valid by Cloudflare — Use a valid Origin CA or public certificate and set the mode to Full (Strict).
• Redirect loop: Usually when SSL Mode is on Flexible and you have http → https redirect on Origin. Solution: Use Full / Full (Strict).
• Universal SSL activation time: It may take up to 24 hours; be patient and flush the DNS Cache.

For a quick check:

openssl s_client -connect example.com:443 -servername example.com

Checking the connection from Cloudflare to Origin (on the server):

curl -vk --resolve example.com:443:198.51.100.10 https://example.com/

Security and operational tips

Best practices and security measures:

• Always from Full (Strict) Use Cloudflare to verify the authenticity of the Origin certificate.
• If you use Cloudflare, restrict the IPs allowed to Origin to a whitelist; allow only Cloudflare IPs. List the IPs from Cloudflare IP List Get it and keep it up to date.
• Enabling TLS 1.3 and HTTP/2 will improve performance. Enable HSTS carefully and after you are sure of the configuration (preload only after thorough testing).
• For sensitive sites (traders, low-ping gaming, database rendering, and AI): Place Origin close to target users or to BGP networks and appropriately located data centers to achieve the lowest RTT.
• Use secure tunnels or firewall rules for non-web traffic (e.g. SSH or private TCP); Cloudflare is optimized for web traffic.

SEO and performance tips

Impact of Universal SSL and CDN on SEO and performance:

• Enabling Universal SSL on Edge ensures that users always have HTTPS — this is beneficial for SEO.
• Using CDN and edge certificates reduces TLS handshake time for global users.
• Make sure the 301 Redirect from HTTP to HTTPS is set up correctly and you don't have Mixed Content (use tools like Lighthouse or Screaming Frog to check).

Sample checklist before turning off Universal SSL

• Do you have a replacement edge certificate? (If not, HTTPS will be broken)
• Does Origin have a valid certificate in Full (Strict) mode?
• Are Cloudflare IPs whitelisted in the origin firewall?
• Are users and third-party services responding to changes? (e.g. API consumers)
• Has the right time (low-traffic window) been chosen?

Conclusion and recommendations

Universal SSL is a powerful and simple edge encryption capability that is suitable for most websites and applications. It is recommended to always use Full (Strict) Along with Cloudflare Origin CA Or use a valid certificate. Disabling Universal SSL should be done with caution and only in special cases.

Technical support and related services

If you use the provided servers (with global locations, cloud and dedicated servers, GPU graphics servers, VPS for trading and gaming, anti-DDoS services, CDN, and BGP support), the technical team can help install Origin CA, set up firewall rules to whitelist Cloudflare IPs, or advise on the best SSL/TLS configuration for the lowest latency and highest security.

Frequently Asked Questions