Cloudflare SSL Full (Strict) Setup

Full (Strict) is the recommended Cloudflare SSL mode for production because it preserves encryption all the way to the origin and validates the origin certificate.

Certificate Options

Let's Encrypt

Use a public CA certificate when you want the origin to be directly trusted by browsers as well.

Cloudflare Origin Certificate

Use a Cloudflare origin certificate when the server is meant to be reached only through Cloudflare. It is trusted by Cloudflare, not by public browsers directly.

Custom Certificate

A commercial or internal certificate can also work as long as Cloudflare can validate it under the chosen setup.

Cloudflare Origin Certificate Installation

Generate Certificate in Cloudflare

From the Cloudflare dashboard, generate an origin certificate for the required hostnames.

Download Certificate & Private Key

Save both items carefully. The private key should never be exposed in logs, screenshots, or shared notes.

Upload to Server

Place the files in a restricted location such as /etc/ssl/private or another locked-down path with correct ownership and permissions.

Configure in OpenLiteSpeed SSL

Point the SSL listener or vhost SSL settings to the certificate file and private key file.

OpenLiteSpeed SSL Listener Setup

Enable SSL Listener

Create or edit the listener bound to 443 and enable SSL.

Set Certificate File

Reference the origin certificate path.

Set Private Key File

Reference the matching private key path.

Enable HTTP/2 & HTTP/3

Turn on modern protocol support if your network path, firewall, and client profile support it.

Cloudflare Dashboard Settings

SSL Mode -> Full (Strict)

Set the zone SSL mode to Full (Strict) only after the origin certificate is valid and loaded correctly.

Always Use HTTPS

Enable automatic HTTP to HTTPS redirect at the edge for a clean secure default.

Automatic HTTPS Rewrites

This helps mixed content migrations when older content still references http:// assets.

Verification

Check SSL Status

Visit the site through Cloudflare and confirm the browser reports a valid secure connection.

Verify HTTPS Redirect

Ensure http://example.com redirects cleanly to HTTPS without loops.

Test TLS Handshake

Use tools such as openssl s_client or external SSL scanners to confirm the origin serves the expected certificate and protocol versions.

Common Failure Patterns

Problem	Typical Cause
525 SSL handshake failed	Origin listener or TLS handshake problem
526 invalid SSL certificate	Cloudflare cannot validate the origin certificate
Redirect loop	Flexible mode, duplicate redirect rules, or misread proxy headers
Wrong certificate served	Listener or SNI mapping points to the wrong cert

Certificate Options​

Let's Encrypt​

Cloudflare Origin Certificate​

Custom Certificate​

Cloudflare Origin Certificate Installation​

Generate Certificate in Cloudflare​

Download Certificate & Private Key​

Upload to Server​

Configure in OpenLiteSpeed SSL​

OpenLiteSpeed SSL Listener Setup​

Enable SSL Listener​

Set Certificate File​

Set Private Key File​

Enable HTTP/2 & HTTP/3​

Cloudflare Dashboard Settings​

SSL Mode -> Full (Strict)​

Always Use HTTPS​

Automatic HTTPS Rewrites​

Verification​

Check SSL Status​

Verify HTTPS Redirect​

Test TLS Handshake​

Common Failure Patterns​