I would like to set up Free SSL on Acquia through CloudFlare.
All Acquia customers can utilize CloudFlare’s Universal SSL origin certificate to provide free SSL encryption on their Acquia Cloud hosted websites. This method makes use of CloudFlare’s “Full SSL (strict)” mode, which encrypts the connection between your website visitors and CloudFlare, and from CloudFlare to Acquia.
Before we begin, know that CloudFlare generates the free certificate per apex domain. Therefore, you cannot protect multiple apex domains on a single CloudFlare certificate, such as example.com and example2.com. Also, this method will only provide Full Strict SSL on the fully qualified domain or subdomain (e.g. www.example.com or dev.example.com). Requests to the bare domain (e.g. example.com) will be served over SSL using CloudFlare’s “Flexible SSL” mode. We have information on how to redirect requests from the bare domain to the “www.” subdomain here. If you need to protect multiple apex domains or want Full Strict SSL mode on the bare domain, you will need to pursue other SSL options as explained here.
1) Create the CloudFlare certificate
Within CloudFlare, navigate to the “Crypto” page and click the “Create Certificate” button under the Origin Certificates panel.
Check the “Let CloudFlare generate a private key and a CSR” button. By default, the bare domain and the wildcard domain are added as hostnames, which covers "example.com" as well as "www.example.com", "dev.example.com", etc. Select the length of time before your certificate expires (e.g. 15 years) then click “Next”.
2) Copy the CloudFlare Certificate Files
The next page contains your certificate and private key data in PEM format. We will need this data as files in order to upload them to Acquia. We will create two files locally:
First, create a new, plain text file on your local machine called
ssl.crt and copy-paste the “Origin Certificate” text into the file and save.
Next, create a new, plain text file on your local machine called
ssl.key and copy-paste the “Private key” text into the file and save.
3) Upload the CloudFlare certificate to Acquia
Within the Acquia Cloud UI, navigate to your desired Environment's SSL page and click “Install new SSL certificate”. Paste the ssl.crt file into the “SSL certificate" upload field.
Copy and paste CloudFlare’s intermediary certificate text below into the “CA intermediate certificates” text area:
-----BEGIN CERTIFICATE----- MIID/DCCAuagAwIBAgIID+rOSdTGfGcwCwYJKoZIhvcNAQELMIGLMQswCQYDVQQG EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE0MDIGA1UECxMrQ2xvdWRG bGFyZSBPcmlnaW4gU1NMIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEBxMN U2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xNDExMTMyMDM4 NTBaFw0xOTExMTQwMTQzNTBaMIGLMQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xv dWRGbGFyZSwgSW5jLjE0MDIGA1UECxMrQ2xvdWRGbGFyZSBPcmlnaW4gU1NMIENl cnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEG A1UECBMKQ2FsaWZvcm5pYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMBIlWf1KEKR5hbB75OYrAcUXobpD/AxvSYRXr91mbRu+lqE7YbyyRUShQh15lem ef+umeEtPZoLFLhcLyczJxOhI+siLGDQm/a/UDkWvAXYa5DZ+pHU5ct5nZ8pGzqJ p8G1Hy5RMVYDXZT9F6EaHjMG0OOffH6Ih25TtgfyyrjXycwDH0u6GXt+G/rywcqz /9W4Aki3XNQMUHNQAtBLEEIYHMkyTYJxuL2tXO6ID5cCsoWw8meHufTeZW2DyUpl yP3AHt4149RQSyWZMJ6AyntL9d8Xhfpxd9rJkh9Kge2iV9rQTFuE1rRT5s7OSJcK xUsklgHcGHYMcNfNMilNHb8CAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgAGMBIGA1Ud EwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFCToU1ddfDRAh6nrlNu64RZ4/CmkMB8G A1UdIwQYMBaAFCToU1ddfDRAh6nrlNu64RZ4/CmkMAsGCSqGSIb3DQEBCwOCAQEA cQDBVAoRrhhsGegsSFsv1w8v27zzHKaJNv6ffLGIRvXK8VKKK0gKXh2zQtN9SnaD gYNe7Pr4C3I8ooYKRJJWLsmEHdGdnYYmj0OJfGrfQf6MLIc/11bQhLepZTxdhFYh QGgDl6gRmb8aDwk7Q92BPvek5nMzaWlP82ixavvYI+okoSY8pwdcVKobx6rWzMWz ZEC9M6H3F0dDYE23XcCFIdgNSAmmGyXPBstOe0aAJXwJTxOEPn36VWr0PKIQJy5Y 4o1wpMpqCOIwWc8J9REV/REzN6Z1LXImdUgXIXOwrz56gKUJzPejtBQyIGj0mveX Fu6q54beR89jDc+oABmOgg== -----END CERTIFICATE-----
Upload the ssl.key file into the “SSL private key” upload field and click “Submit”.
This will initiate the self-service SSL process of uploading your certificate to an environment of your choosing. We have more information about using SSL on our platform here.
We have additional instructions on installing SSL certificate on Acquia Cloud here.
4) Create the CloudFlare Page Rule
Within CloudFlare, navigate to the “Page Rules” page and click “Create Page Rule”. Add your https bare domain to the URL field, for example https://example.com. Then add an “SSL” setting with the value of “Flexible”. This will ensure that requests to the bare domain resolve, at which point you can redirect them to the fully qualified domain served over Full Strict SSL mode.
5) Enable Full Strict SSL mode
Finally, navigate to the “Crypto” page and select “Full (strict)” in the SSL panel to ensure that requests are fully encrypted from Edge to Origin.