Cloudflare Keyless SSL

What can be the appropriate way for CHT app to use the Cloudflare keyless SSL.
Natively medic-os container is shipped with default.crt and default.key at /srv/settings/medic-core/nginx/private.
I cannot use the Cloudflare (keyless) provided SSL.


@sahaniarun - I’d not heard of the Keyless SSL offering from Cloudflare - that was fun to read up on!

Can you provide some background on why you want to use Cloudflare to terminate your SSL? This detail might expose another, easier solution.

Otherwise, I note that Cloudlflare requires you to set up a Key Server first - this should be done outside of the CHT Docker infrastructure. Having not implemented this myself, I can’t quite be sure, but after setting up and deploying the Key Server, do you get traditional .pem files of your private key and certificate which you can install on any web server which will be the “origin server” in Cloudflare speak? If yes, then you can install these using the existing process.

If you need to run a modified web server with custom support for Keyless SSL, then your only option is to run this modified server as a reverse proxy to your CHT instance. Be sure to test the speed of a direct requests vs Keyless SSL requests to ensure this doesn’t introduce unnecessary connection delays.

A final option is to use one of Cloudflares more traditional SSL termination offerings that can use an unmodified origin server.

1 Like