Generally the only problem this causes is if a site owner wants to use an EV cert. To use your own cert at Cloudflare I think you need to be on either the $200 or $1500/mo plans, and most would prefer to just use their cert than spending that just to have an EV cert in place, given most browsers have dropped the EV prominent display these days anyway.

If the real server is still using a cert issued to the domain, which it ideally will be, then Cloudflare can be set to 'strict' mode SSL, where they ensure the correct site cert is in use for their own traffic to the back end.

Ah OK. My conclusion then is that a free Let's Encrypt or Sectigo (~$50) is all that is really needed for most sites?

Scott
IDS

Yep it's fairly rare for anyone to have a SSL brand preference these days. Browser compatibility is the big question, but most newer entities get cross signed CA certs from a trusted root. I prefer not using Lets Encrypt on production sites since they have to be renewed very frequently, which means interruption.

Thanks.

Scott