Access to my (sub-)domains raise ERR_CERT_AUTHORITY_INVALID,

Answer these questions to help the Community help you with Security questions.

What is the domain name?

whoami.mydomain2.com (redacted, replaced by mydomain2.com)

Have you searched for an answer?

Yes

Please share your search results url:

Too many urls, including community cloudflare, blogs posts, github, etc.

When you tested your domain, what were the results?

Describe the issue you are having:

Access to my (sub-)domains raise ERR_CERT_AUTHORITY_INVALID, even if my server uses the right origin CA certificate

I got a ERR_CERT_AUTHORITY_INVALID error when I attempt to access whoami.mydomain2.com.

However, the origin CA certificate is good (c.f. previous screenshot), so I don’t know what to do.

On the server I have a dockerized reverse-proxy: Traefik, and I handle two domains: mydomain1.com, mydomain2.com.

mydomain1.com just works very well, it uses the right origin CA. But when I visit a site under mydomain2.com, it switch the origin CA to use the cert of mydomain2.com, but I getting the ERR_CERT_AUTHORITY_INVALID

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Check universal certificate: ok
  2. Universal certificate enabled: ok
  3. Universal certificate covers domain: *.mydomain2.com, mydomain2.com
  4. SSL/TLS mode: Full strict
  5. Domain managed by Cloudflare (bought on Cloudflare registrar)

Was the site working with SSL prior to adding it to Cloudflare?

I bought the domain on Cloudflare…

What are the steps to reproduce the error:

  1. Accessing to wy website
  2. See the wonderful error…

Have you tried from another browser and/or incognito mode?

Yep, another browser, incognito mode, other device, with and without VPN.

Other information

I turned the zone into Dev mode, and I also teste by disabling Cloudflare on Site

You need to enable proxy on that record.
From within Cloudflare’s Dashboard, in your zone/website, under DNS → Records, find “whoami”, click “Edit”, and the slider next to DNS-only to make the record proxied :orange:

The Cloudflare Origin Certificates are only trusted by Cloudflare’s proxy and only work with proxy enabled. You should never be able to see them directly in your browser. After you make the change, you may need to wait a bit for dns cache.

It is already the case:

The root too (mydomain2.com) is proxied.

After re-enabling Cloudflare on Site, the certificates started to magically works (magically because before deactivating it didn’t work)

2 Likes

Nice! Yea if you had paused Cloudflare, it’s the same as unproxying every record.

2 Likes