How Cloudflare SSL/TLS works
When you use Cloudflare as a proxy (the orange cloud), there are two separate SSL connections in play:
- Browser → Cloudflare: always encrypted, Cloudflare manages this cert on your behalf
- Cloudflare → your VPS: depends on which SSL/TLS mode you have selected
Cloudflare offers four SSL/TLS modes:
- Off: no encryption at all
- Flexible: only the browser-to-Cloudflare leg is encrypted; Cloudflare connects to your server over plain HTTP
- Full: encrypts both legs, but does not validate whether your server’s cert is valid or expired
- Full (Strict): encrypts both legs and requires your server cert to be valid and not expired
A lot of people run on Full mode for years without issue — and because Cloudflare doesn’t check the cert on the origin server, an expired cert causes no visible problems. Certbot renewal failures go unnoticed. The site keeps running. Until it doesn’t.
What is Automatic SSL/TLS?
Automatic SSL/TLS is Cloudflare’s newer feature that takes the mode selection out of your hands. Instead of a static setting, Cloudflare periodically scans your origin server and automatically adjusts the encryption mode to the highest level your setup can support.
If it detects a valid certificate on your server, it upgrades to Full (Strict). If it doesn’t, it steps down. The intent is good — push sites toward stronger security automatically. But if your cert has silently expired, this scan is what triggers the outage.
You can check the status in your Cloudflare Dashboard under SSL/TLS → Overview:
SSL/TLS encryption
Current encryption mode: Full (strict)
The encryption mode was last changed a year ago.
Automatic mode enabled 3 days ago.
Next automatic scan on: 06/24.Why does the site break without warning?
The sequence of events typically looks like this:
- You’re running on Full mode — expired cert on the VPS doesn’t matter, site works fine
- Certbot fails to auto-renew because Cloudflare’s proxy blocks Let’s Encrypt’s HTTP challenge — but since the site is still up, nobody notices
- Cloudflare enables Automatic SSL/TLS and scans your origin server
- It upgrades to Full (Strict) — now it actually verifies your origin cert
- Expired cert → Cloudflare drops the connection → site goes down with an SSL error
What makes this particularly confusing is that you didn’t change anything. The site just broke on its own — because a feature you didn’t enable triggered a chain reaction on a cert that had been quietly expired for months.
How to fix it
There are two ways to respond:
Option 1 — Disable Automatic mode (not recommended): Go to SSL/TLS → Overview, turn off Automatic SSL/TLS and manually set it back to Full. This removes the immediate pain but doesn’t fix the underlying problem. Your cert is still expired, and you’ll need to track renewals manually going forward.
Option 2 — Fix the root cause (recommended): Renew your cert and reconfigure Certbot to auto-renew using the Cloudflare DNS API instead of HTTP challenge. This way, renewal works even with Cloudflare proxy enabled — and Automatic mode becomes a non-issue because your cert will always be valid.
Step-by-step instructions: Auto-renew SSL with Certbot when using Cloudflare (DNS Challenge).
The takeaway
Automatic SSL/TLS is genuinely a good feature — it pushes sites toward Full (Strict), which is the most secure configuration and one everyone should be running. The problem is that it exposes a gap that Full mode had been silently hiding: expired certs that Certbot couldn’t renew because of Cloudflare’s proxy.
The long-term fix is straightforward — make sure your cert renews automatically and reliably. Once that’s in place, Cloudflare can scan as often as it wants and your site won’t flinch.
Comments