3rd Party SSL Certificate Missing Intermediate Certificate

Last Friday I installed a 3rd-party SSL cert (digicert) for my website clio.com w/i the edge certificate tab (i.e. pasted in the SSL certificate and private key). I’m using the compatible bundle method.

Everything appeared to be working properly, but now notice that clio.com (and not www.clio.com) appears to be missing an intermediate certificate (I checked via https://www.digicert.com/help/).

Any thoughts?

% host clio.com
clio.com has address 35.247.60.15

That host is pointing at your origin, so it is not using the Cloudflare uploaded certificate.

1 Like

Clio.com is not a Cloudflare server. ‘www’ is, though.

Ok - so the issue lies w/ our SSL setup on origin?

Correct.

While you are making changes, you should try and get a second certificate bundle from your CA using the act same set of names but using ECC/ECDSA. You can upload both to Cloudflare, and clients will benefit from using ECDSA where available.

Also, I see your Origin is WPE. They will generate Let’s Encrypt certificates for your domain, and Cloudflare will generate Universal certificates that include all the hostnames you are using in your Custom Certificate. Unless you have very particular requirements, using the default certs on both platforms is probably easier, requires less manual work, and will provide the same hostname coverage and security.

Hey, Michael.

I think the issue when I looked at it earlier was that we are not using Cloudflare for our name nameservers. As such Universal SSL is disabled for us :frowning:

I was looking into being able to use the WPE LE cert on both origin and Cloudflare, but my research lead me to believe that you cannot do so if you are using Cloudflare as CDN (which we are).

Universal SSL is available to CNAME setups, you just need to perform some steps to allow the certificates to validate. See:
https://support.cloudflare.com/hc/en-us/articles/360020348832-Understanding-a-CNAME-Setup#h_989980109291544055191509

I use WPE with LE certs behind Cloudflare, and have done so for years without issue. The cert you use on the Origin will not be the same as the cert you use in Cloudflare, but that is not going to be an issue in most situations.

1 Like

Interesting. Ok, that’s good to know.

I think we’ll keep our existing setup for this year, but switch over as per your recommendation on the next go around.

Thanks!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.