If you’re unable/unwilling to ensure a valid origin cert, why don’t you simply switch to the appropriate Custom SSL/TLS encryption mode per your origin cert?
My own experience with the Automatic mode is that there is often a non-zero time to adapt to origin cert changes (cert expired, renewed, revoked, etc)… during which time the site will show an error.
Because I have 200+ domains on full SSL mode, a handful of old ones still on flexible.
I never selected automatic mode, it didn’t exist when most domains were added.
Cloudflare automatically turned automatic mode on, which is fine if it worked.
But last 6 months it has started incorrectly setting strict mode on sites which cannot handle strict mode. It’s supposed to check before changing, but it’s checks are broken, so cloudflare keeps breaking my sites with automated changes.
I shouldn’t have to manually go through 200 domains and turn off a setting that I never enabled.
Any cloudflare support staff able to assist here?
Yet another domain broken again today by automated ssl upgrades that I did not enable, agree to or sign up for.
Is there a way to disable automatic SSL upgrades for every domain in my account? Or do I need to spend hours manually updating every site?
" Automatic SSL/TLS upgrades are enabled for one or more of your domains. As a result, Cloudflare will see if it can communicate with your origin server over more secure connections and will automatically upgrade them on your behalf if so to improve security."
Clearly your checks to see if more secure connections work are broken, given you upgrade to a level that breaks the sites. If it worked, great feature, but given it consistently breaks sites it is beyond terrible.
Surely a simple https request to our server would show the domain name is not in the certificate… are you doing the checks to the domain normally instead of our server endpoint? That might make sense as then you would see the domain in certificate, but in the cloudflare issued certificate.
Our server is setup to support Full SSL, which is why we have always set that (except for a few really old sites still on flexible). Full Strict requires an extra manual step our end, so we do not want cloudflare to ever set this for us, leave it in our control.
Having the same issue.
Clearly the method Cloudflare uses to automatically choose the encryption mode is faulty - it chooses Full (strict) even though enabling it causes an error.
From what I can tell it happens on domains that have redirection enabled.
Sure, there are workarounds, but it should be trivial for Cloudflare to fix this bug.