How SSL automation on CDN works? Print

  • 0

For many Nixzoehost customers, using a Content Delivery Network (CDN) like Cloudflare or our built-in Nixzoe-Edge is the best way to speed up their site. However, adding a CDN creates a "middleman" in your security.

Understanding how SSL automation works in this environment is the key to preventing "526 Invalid SSL" errors and redirect loops.


The "Split" Security Model

In a traditional setup, the SSL goes from the visitor directly to your server. With a CDN, the connection is split into two distinct paths:

  1. The Client-to-Edge Connection: This is the path between your visitor and the CDNs nearest server. The CDN provides the SSL certificate here.

  2. The Edge-to-Origin Connection: This is the path between the CDN and your Nixzoehost server. You still need an SSL here to keep the data private.


How the Automation Works

Modern CDNs use ACME (Automated Certificate Management Environment) to keep your site secured without you having to upload files manually every few months.

1. Automated Issuance

When you point your domains nameservers to a CDN, the CDN automatically detects that it is now responsible for your traffic. It sends a request to a Certificate Authority (like Let's Encrypt or Google Trust Services) to issue a "Universal SSL" for your domain.

2. Validation via DNS

Because the CDN controls your DNS, it can prove to the Certificate Authority that it "owns" the domain by placing a temporary hidden record in your DNS settings. This happens in the background in seconds.

3. Perpetual Renewal

As of 2026, most CDN certificates expire every 90 days. The automation system typically starts the renewal process 30 days before expiration. If the domain is still pointing to the CDN, the new certificate is installed silently with zero downtime.


Setting the Right "Strictness" Level

Inside your CDN dashboard, you will see different SSL modes. For Nixzoehost users, here is what they mean:

  • Flexible (Not Recommended): Traffic is encrypted from the user to the CDN, but "plain text" (unencrypted) from the CDN to Nixzoehost. This is insecure for modern web standards.

  • Full: Encrypts both paths, but doesn't check if the certificate on Nixzoehost is "official." You can use a self-signed cert here.

  • Full (Strict) - Recommended: Both paths are fully encrypted, and the CDN checks to make sure your Nixzoehost server has a valid, non-expired certificate. Use this mode if you have cPanel AutoSSL enabled.


Troubleshooting the "Automation Conflict"

Sometimes, your CDN and your cPanel SSL Manager might "fight" over who gets to secure the domain.

Problem Cause Solution
Redirect Loop (Too many redirects) CDN is trying to force HTTPS while Nixzoehost is trying to force HTTP. Set CDN to Full (Strict) and ensure your WordPress site URL uses https://.
526 Invalid SSL Error The certificate on your Nixzoehost server has expired, and the CDN can't verify it. Log into cPanel and Run AutoSSL to refresh the origin certificate.
Validation Failed The CDN is blocking the "Challenge file" that cPanel needs to issue a certificate. Temporarily "Pause" the CDN or use DNS-based validation instead of HTTP.

Nixzoehost Pro-Tip: If you use our Global CDN, we handle the "Handshake" between the edge and your server automatically. You won't have to manually configure strictness levelsour system defaults to the highest security possible.


Was this answer helpful?

« Back