Sucuri Firewall provides two modes for SSL connections: Partial HTTPS and Full HTTPS. They are available on the "HTTPS/SSL" tab of the Firewall dashboard.
The connection is safe (HTTPS) between your visitor and the Firewall, however when reaching your server, the connection uses HTTP (not secure):
Although your visitor will see the website as safe, Partial HTTPS is know for causing redirect loops and could suffer from man-in-the-middle (MitM) attacks. Use it only if deeply necessary.
The safest way of configuring the SSL Mode, Full HTTPS is designed to make the whole connection encrypted:
This method requires a SSL on the server side. Beware that your visitor will never see the hosting SSL, only the Firewall itself does. Your visitor will always see the SSL uploaded on the Firewall. If you didn't upload a custom SSL, a Let's Encrypt SSL is issued for your domain automatically.
The hosting SSL could be a self-signed SSL or even an expired SSL (you do not need to renew your server SSL). The Firewall will continue to accept the server SSL and always provide your visitor the SSL within the Firewall. However, in case you want a Strict SSL mode, so the Firewall always check if the server SSL is valid, please open a support ticket.
In case you still want to renew your server SSL automatically such as using cPanel's AutoSSL or Certbot, please open a support ticket so we can allow forwarding the certificate validation to hosting.