Browser not detecting cloudflare SSL certificate

ssl

#1

Hi,

My browser doesn’t like my Cloudflare SSL certificate.

I’ve already read all of the relevant community topics, and followed all of the disagnostic steps here:

Everything looks good in my Cloudflare dashboard:

  • My account is up and running (status:Active - this website is active on Cloudflare)
  • I have ‘orange cloud’ DNS records pointing at my host IP.
  • My site works over HTTP: http://www.babyskills.ml
  • My SSL certificate has been issued (status: Active Certificate).
  • I am running the FULL SSL setting (my host has a self-signed certificate).

To diagnose any installation problems, I ran an SSL checker
https://www.sslshopper.com/ssl-checker.html#hostname=www.babyskills.ml

  • I can see that the Cloudflare certificate is being detected
  • The certificate was issued by Comodo.
  • The hostname (www.babyskills.ml) is correctly listed in the certificate.

So, everything looks great! Except…

When I try to access my page via HTTPS: https://www.babyskills.ml, I get en error ERR_CERT_AUTHORITY_INVALID

I Chrome developer tools I see the following:

  • Subject Alternative Name missing (The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.)
  • There are issues with the site’s certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

When I look at the certificate, I don’t see any mention of Comodo, or my hostname, which makes me think that my browser is seeing the self-signed ORIGIN certificate of my hosting provider, NOT my cloudflare certificate.

What could be wrong?

  • Browser issue? I’ve tried different browsers and different devices, but to no avail.
  • Propagation issue? It has been 90 minutes since my certificate was issued.
  • Caching issue? I’ve cleared my SSL state.
  • Should I be using Flexible SSL? I tried this, too, but nothing changed.

Please help!


#2

I’d say you’re hitting the origin site. (It’s working fine for me)

In the Chrome Dev Tools, if you look at the HTTP response headers, you should see some CF headers from Cloudflare. I suspect that you won’t see those, and the IP address will be that of your origin server.

So it would be a DNS issue.


#3

Works for me as well. You might try flushing your DNS cache on your local machine.


#4

Thanks for the suggestion cscharff

ipconfig /flushdns

Sadly, it did not fix the issue.


#5

I agree sdayman. Seems to be only an issue from UK browsers.

What has failed to propagate, do you think? The nameserver (NS) record itself?

It’s been over 7 hours now, and still no luck. Will check back later and see.


#6

This test: https://www.whatsmydns.net/#A/babyskills.ml shows proper resolution around the world, including Global Crossing in the UK.

Sometimes it’s a matter of an ISP’d DNS not properly flushing expired entries. One option to test is to set your computer’s DNS to use Google DNS at 8.8.8.8 and 8.8.4.4. This should at least get it working for you.

From my own command line: dig babyskills.ml
my DNS (opendns.com) resolves it correctly, and shows a proper TTL:

; <<>> DiG 9.8.3-P1 <<>> babyskills.ml
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53171
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;babyskills.ml.			IN	A

;; ANSWER SECTION:
babyskills.ml.		300	IN	A	104.24.115.13
babyskills.ml.		300	IN	A	104.24.114.13

;; Query time: 84 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Sep 20 17:45:43 2017
;; MSG SIZE  rcvd: 63

#7

I don’t know how to determine which NS your ISP/DNS host is using. The Dig command is the best insight into what my local DNS is doing.

EDIT: Not so tough: dig babyskills.ml NS

That’s the dig command that will let you know which NS your DNS server thinks your domain is set to.


#8

Did you come to a resolution for this?

I have the exact same issue that is described by OP.


#9

This resolved itself within about 36 hours. It was probably due to caching at the ISP level.

This SSL checker should confirm that your certificate is valid:
https://www.sslshopper.com/ssl-checker.html

I’d recommend waiting a few days for the changes to propagate.


#10

Hi,
I have the exact same problem now. I ran the SSL checker as well, the Comodo certificate shows but under the website Not Secure warning, mentioned is a self issued invalid certificate. Should I just wait thinking this is an ISP related problem, or have you found another explanation behind this issue? My related request number is: 1493737


#11

i am having the same case my website www.skgroups.net it shows NET::ERR_CERT_AUTHORITY_INVALID and when some uses skgroups.net it works fine please solve mine issue too


#12

At the moment you have universal SSL disabled, so we haven’t ordered and aren’t serving a certificate for you at your request.


#13

how to enable it


#14

i enabled but now on using www it says ERR_SSL_VERSION_OR_CIPHER_MISMATCH


#15

It’s probably still authorizing the certificate. What is the Status for SSL in your Crypto settings page?


#16

it just says This setting was last changed 4 days ago


#17

The www redirects me to non-www. And it works.

But to fill in some blanks, Universal SSL would have a Status. Have you paid for a Dedicated SSL certificate? In either case, you would have an entry in the Edge Certificates section.


#18

Appears to be working for me now. Since USSL was disabled the certificate issuance process started over so could take up to 24 hours tobe in place. But tested now and seems to be working.


#19

A post was merged into an existing topic: Installing CloudFlare Origin Certificates on Windows 10


#20

it was working fine after talking here but today on 17/6/2018 it shows https even says certificate is valid but says connection is insecure