SSL/TLS Modes

Cloudflare offers four SSL/TLS encryption modes that control how traffic is encrypted between visitors, Cloudflare, and your Ultra Web Hosting server. Choosing the wrong mode is the most common cause of redirect loops and SSL errors. This guide explains each mode and why we strongly recommend Full (Strict).

The Four SSL/TLS Modes

Cloudflare encrypts traffic in two segments: the connection between the visitor and Cloudflare (the "edge"), and the connection between Cloudflare and your server (the "origin"). The SSL mode you choose determines how the second segment is handled.

Off (Not Secure)

No encryption at all. All traffic between visitors and your site is sent over plain HTTP. This mode should never be used — it exposes your visitors' data and browsers will display security warnings.

Visitor ---[HTTP]--- Cloudflare ---[HTTP]--- Your Server

Flexible

Encrypts traffic between visitors and Cloudflare, but the connection from Cloudflare to your server is unencrypted HTTP.

Visitor ---[HTTPS]--- Cloudflare ---[HTTP]--- Your Server

This mode was designed for servers that do not have SSL certificates installed. Since Ultra Web Hosting provides free AutoSSL certificates for every account, there is no reason to use Flexible mode.

Warning Never use Flexible mode with Ultra Web Hosting. Since your hosting account has a valid SSL certificate via AutoSSL, your server is configured to redirect HTTP to HTTPS. When Cloudflare connects to your server over HTTP (as Flexible mode does), your server redirects to HTTPS, which Cloudflare then sends back over HTTP again — creating an infinite redirect loop. Your visitors will see a "too many redirects" error and your site will be completely inaccessible. This is the single most common Cloudflare issue we see.

Full

Encrypts traffic on both segments. Cloudflare connects to your server over HTTPS, but it does not verify that your server's SSL certificate is valid or trusted. It will accept self-signed or expired certificates.

Visitor ---[HTTPS]--- Cloudflare ---[HTTPS (unverified)]--- Your Server

This mode works and avoids redirect loops, but it does not provide full security because Cloudflare is not verifying the identity of your server.

Full (Strict) — Recommended

Encrypts traffic on both segments, and Cloudflare verifies that your server's SSL certificate is valid and trusted. The certificate must be issued by a trusted Certificate Authority (like the free AutoSSL certificates provided by Ultra Web Hosting) and must not be expired.

Visitor ---[HTTPS]--- Cloudflare ---[HTTPS (verified)]--- Your Server

Recommended Full (Strict) is the recommended mode for all Ultra Web Hosting accounts. Since every hosting account receives a free, valid AutoSSL certificate that is automatically renewed, your server already meets the requirements for Full (Strict). This gives your visitors true end-to-end encryption with certificate verification on both segments.

How to Set Your SSL/TLS Mode

Log into your Cloudflare dashboard.
Select your domain.
Go to SSL/TLS in the left sidebar.
Under Overview, you will see the current encryption mode.
Click Configure and select Full (Strict).
Save the change. It takes effect immediately.

Always Use HTTPS

In addition to setting the SSL mode, you should enable the "Always Use HTTPS" setting in Cloudflare. This automatically redirects all HTTP requests to HTTPS at the Cloudflare edge, before traffic even reaches your server.

In the Cloudflare dashboard, go to SSL/TLS → Edge Certificates.
Find the Always Use HTTPS toggle and turn it on.

With this enabled, you may be able to remove any HTTPS redirect rules from your .htaccess file on the server, since Cloudflare handles the redirect before the request reaches your server. However, keeping the .htaccess rule as a backup does no harm.

Edge Certificates vs Origin Certificates

Cloudflare uses two types of SSL certificates, and it is important to understand the difference:

Edge Certificates

These are the certificates that encrypt traffic between visitors and Cloudflare. Cloudflare provides these automatically and for free on all plans. You do not need to do anything to set them up — they are provisioned automatically when you activate Cloudflare on your domain. Edge certificates cover your root domain and one level of subdomains (e.g., yourdomain.com and www.yourdomain.com).

Origin Certificates

These are the certificates on your Ultra Web Hosting server that encrypt traffic between Cloudflare and your server. You have two options:

AutoSSL (Recommended) — Ultra Web Hosting's free AutoSSL automatically installs and renews trusted SSL certificates from a public Certificate Authority. These work with Full (Strict) mode and require no manual setup.
Cloudflare Origin Certificate — Cloudflare can generate a certificate specifically for the Cloudflare-to-server connection. These are only trusted by Cloudflare (not browsers directly), so they only work when traffic passes through Cloudflare. They are valid for up to 15 years. This is an advanced option that most users do not need since AutoSSL already provides valid certificates.

Note For most Ultra Web Hosting clients, simply using the free AutoSSL certificate (which is already installed on your account) with Cloudflare set to Full (Strict) is the best and simplest configuration. No additional certificates need to be installed.

Troubleshooting SSL Issues

Redirect Loops ("Too Many Redirects" / ERR_TOO_MANY_REDIRECTS)

This is almost always caused by Flexible SSL mode combined with an HTTPS redirect on your server. The fix:

Go to SSL/TLS in your Cloudflare dashboard.
Change the mode from Flexible to Full (Strict).
Clear your browser cache (or test in an incognito/private window).
Your site should load immediately.

Why this happens: When SSL is set to Flexible, Cloudflare connects to your server over HTTP (port 80). Your server's .htaccess file (or WordPress settings) detects a non-HTTPS connection and sends a 301 redirect to HTTPS. Cloudflare receives this redirect and follows it, but since the mode is Flexible, it connects over HTTP again. This cycle repeats indefinitely until the browser gives up.

Mixed Content Warnings

If your browser shows a "Not Secure" warning or some page elements (images, scripts, stylesheets) fail to load after enabling Cloudflare, you likely have mixed content. This means your HTML pages are loaded over HTTPS but reference some resources using http:// URLs.

To fix this:

In Cloudflare, go to SSL/TLS → Edge Certificates and enable Automatic HTTPS Rewrites. This rewrites http:// URLs to https:// on the fly.
For a permanent fix, update the URLs in your website's code, database, or CMS settings to use https://. In WordPress, you can use the "Better Search Replace" plugin to update all URLs in the database.

SSL Certificate Not Showing / Browser Warning

If visitors see a certificate warning after activating Cloudflare:

Edge certificate not yet provisioned — New domains on Cloudflare may take up to 15 minutes for the edge certificate to be issued. Wait and try again.
Using Full (Strict) but AutoSSL has not been issued — If your Ultra Web Hosting account is brand new, AutoSSL may need a few hours to issue a certificate. In the meantime, you can temporarily use Full (non-strict) mode, then switch to Full (Strict) once AutoSSL completes. Check SSL status in cPanel under Security → SSL/TLS Status.
Subdomain not covered — Cloudflare's free edge certificate covers the root domain and one level of subdomains. Multi-level subdomains (e.g., app.staging.yourdomain.com) require a paid plan or an Advanced Certificate Manager subscription.

Error 526: Invalid SSL Certificate

This Cloudflare error means you are using Full (Strict) mode but the SSL certificate on your server is expired, invalid, or not yet issued. Solutions:

Check your AutoSSL status in cPanel under Security → SSL/TLS Status. If the certificate is expired, click Run AutoSSL to request a new one.
Make sure the certificate on the server covers the domain you are accessing (including www if applicable).
Temporarily switch to Full (non-strict) mode while the certificate issue is resolved.

Error 525: SSL Handshake Failed

This means Cloudflare could not establish an SSL connection with your server. This is usually a server-side issue:

Your server may not have SSL configured on port 443. Contact Ultra Web Hosting support if this occurs.
There may be a firewall blocking Cloudflare's IP addresses. Your server needs to allow connections from Cloudflare's IP ranges.