Setting up Let's Encrypt and Cloudflare Universal SSL for end-to-end encryption

Cloudflare offers SSL for all sites, but Cloudflare SSL only encrypts the connection from the visitor to Cloudflare. This article shows how to provide full, strict encryption for the entire connection from the visitor to the server.

Step 1: Set up the domain

In order to complete the setup process correctly, Let’s Encrypt requires the domain to resolve to the server IP address. If the domain does not resolve to the server IP address, update the domain nameservers to the designated A2 Hosting nameservers for your account. For more information about setting nameservers, please see this article.

Please note that A2 Hosting, in order to provide consistent and reliable user experience, is switching from Let’s Encrypt to Sectigo for all newly provisioned accounts. Existing accounts will also make the change to Sectigo certificates sometime in the near future. The certificates are equal in terms of trust level, validity, and how they are used. You should see no impact on your site, and the only difference is that the padlock in your browser will now say “cPanel Cert Issued by Sectigo” instead of “Let’s Encrypt."

Step 2: Verify the Let’s Encrypt certificate has been issued

To verify the Let's Encrypt certificate has been issued for the domain, follow these steps:

  1. Log in to cPanel.
    If you do not know how to log in to your cPanel account, please see this article.
  2. In the Security section of cPanel, click the SSL/TLS Status icon:

    SSL/TLS Status icon in cPanel

  3. On the SSL/TLS Status page, find the domain in the Domain column.
  4. To the right of the domain should be a green lock symbol with the label AutoSSL Domain Validated.

    Symbol for AutoSSL Domain Validated

Alternatively, you can use an external validation tool like to check the SSL certificate.

Step 3: Sign up for Cloudflare

Please note that it is recommended that you configure Cloudflare directly through Cloudflare’s site, as the Cloudflare cPanel plugin is no longer receiving updates, and the premium Cloudflare options can only be configured directly through Cloudflare’s site. Please refer to these articles, Getting Started with Cloudflare and Creating a Cloudflare account and adding a website, on Cloudflare’s website to create an account and start customizing Cloudflare to best suit you and your site’s needs.

To sign up for Cloudflare, follow these steps:

  1. Log in to cPanel.
    If you do not know how to log in to your cPanel account, please see this article.
  2. In the Software section of cPanel, click the Cloudflare icon:

    The Cloudflare icon in cPanel.

  3. On the Cloudflare page, click Create Your Free Account:

    Create your free account button.

  4. A new window appears:

    Cloudflare create account dialog

    • Type an e-mail address and password.
    • Click Create Account to continue.
  5. On the next page, in the Enter your site text box, type the domain to be proxied by Cloudflare. Click Add site to continue.

  6. On the next page, choose a plan. Click Free Website, and then click Confirm plan.

  7. Cloudflare scans your website for existing DNS records.
  8. DNS analysis results appear on the next page. Review the information and correct any errors. When you are done, click Continue.
  9. The next page displays nameservers to use for your domain. Make a note of the nameservers, and then click Done, check nameservers.
  10. The Overview page appears. Click on the SSL/TLS icon and click the Full radio button on the SSL/TLS page.

    For additional security, you can change the setting to Full (strict) by clicking Full (strict) instead of Full.

    Full strict requires that the domain have a valid certificate issued by a recognized certificate authority (CA) such as Let’s Encrypt.


Step 4: Update nameservers and verify

To update the nameservers and verify the configuration, follow these steps:

  1. Use the control panel at the domain’s registrar to change the nameservers to those provided by Cloudflare.
  2. After 24 hours, verify the changes. The domain should resolve to Cloudflare IP addresses and the SSL certificate should be the Cloudflare Universal SSL certificate (

More Information

Using Let's Encrypt with Cloudflare SSL is a great way to add security to a site quickly and at no cost. Let's Encrypt certificates are only valid for 90 days, and Cloudflare must be turned off during the renewal period. It may be more convenient to use a traditional CA-issued certificate. For a more complete discussion of the differences between Let's Encrypt and other SSL certificates, please see this article.

Did you find this article helpful? Then you'll love our support. Experience the A2 Hosting difference today and get a pre-secured, pre-optimized website. Check out our web hosting plans today.