Is SSL free with Cloudflare?

Hi all,

I use Heart for my hosting and SSLs.

I noticed one of my SSLs had just expired, and yet the padlock was still showing. I noticed that (on this particular website) the website is being hosted with Heart, but the nameservers are pointing to Cloudflare.

So are Cloudflares SSL free? If so, rather than paying Heart £50pa for an SSL, I could just point the nameservers to Cloud and get it free.

Is that right?


You can get free SSL certificates at Let’s Encrypt in any event. But I do believe Cloudflare’s are free.

Edit: You would need to enable SSL in your Cloudflare account not just point to their name servers.

Thanks. I dont think Heart supports Let’s Encrypt . (From memory I asked them this last year).

Yes Cloudflare “flexible” SSL is free.

Hmm. Im using the “Full” SSL on Cloudflare and have never been charged for it, so I presume all the SSL options on Cloudflare are free.

What Im thinking is that I use Heart for my hosting and emails etc (I have a reseller account) but point the nameservers to Cloudflare so I can get the free SSL (rather than paying £50 each year for each website!!)

Can anyone see a disadvantage or possible unforeseen consequence of doing this?

It sounds as though that’s what you’re doing already - except you’re also paying for an SSL certificate you’re not using :wink:

Indeed. So if I stop buying SSLs with Heart, becuase the nameservers are pointing to Cloudflare, Ill get the SSL free.

1 Like

“Full” means that there is 2 SSL involved. One at Cloudflare and one at your site (payed or Let’s Encrypt)…

Thats odd, the site Im looking at shows Full (in the Cloudflare SSL page), even though the Heart SSL expired a few days ago.

Cloudflares main advantage is that it caches your site. This means that the cached site may be (not sure) can still work. Try developer mode (not cached) and check if this could be the case.

Interesting. Thanks, Ill give that a go later.

(that was my main reason for using Cloudflare in the first was - their caching. But if I get free SSL then thats a bonus! :slight_smile: )

The main benefit of Cloudflare is the cacheing. The free SSL certs are not what they seem, they are also difficult to implement with other systems such as Wordpress. All their free options are basically ‘fixes’ or ‘work arounds’ and can be fraught with problems. My advice - If you want something that looks like SSL because you want to be HTTPS:// and you have a simple requirement, then yeah, it can work. But it is not ‘real’ SSL and the ‘work arounds’ mean lots of extra unforseen work to try and get it to seem to work. My advice, pay for one or get a hosting company that supplies free SSL AND all the other services that you may want as an integrated solution like Wordpress, email, databases - then any problems are all supported at one source. I can give you the details of host I went for if that is permitted on this forum.

Yes, please do.

I found this reply to a post I made on Cloudflare and is from a member of the Cloudflare team, it is quite helpful in understanding the Cloudflare SSL levels

"Hi, let me clarify the SSL levels for you.

So there is the Flexible level, which definitely falls into the “impression of security” category. It shows an HTTPS connection to the visitors, but Cloudflare will connect via plain HTTP to the origin.

Then there is the Full option (non-strict). Lots of users have expired or self-signed certificates on their origin and don’t want their sites to be down if they forget to update their certificate regularly. These certificates can still be used to encrypt data however. This means the data is fully encrypted, but any certificate would work and therefore certain attacks would still be possible.

The Full (Strict) option is the most secure, but requires you to keep your origin’s certificate valid and up to date at all times. You can use paid certificate authorities, but also free ones like LetsEncrypt or Cloudflare Origin CA. If the SSL certificate ever expires on your origin and if you don’t renew it in time, then your site might be down."

I was also told

“You should not have Full in the first place, so there’s no question to begin with. Install a certificate on your server and use Full strict.”

I hope this helps. Basically after much investigation I decided the free SSL from Cloudflare was not worth implementing, and was complicated. So I changed my Hosting to because they offered so much for 6 - 10GBP per month as a package including free SSL, unlimited databases, unlimited bandwidth, unlimited storage 24 hour support and much more. I have been extremely happy ever since.

Thanks so much @kerry14 , this is very helpful.