Certificate renewal does not work for *.spb.ru domains specifically

cf150 · May 1, 2025, 6:23pm

What is the name of the domain?

artifact.spb.ru aviasalon.spb.ru electrolivefest.spb.ru pr-news.spb.ru sverdlov.spb.ru

What is the error number?

No error number. At least I can not see anything like it anywhere on the dashboard.

What is the error message?

See the attached screenshot: Initializing (Error) The certificate authority will not issue for this domain. Please check your input or try another authority.

What is the issue you’re encountering

I have a dozen websites on different accounts. They are in many different TLD zones like com, biz, ru, org.ru, net.ru, and the few of them are in spb.ru. The problem I have affects specifically *.spb.ru domains only.

All these websites have identical configuration: Free service plan, DNS=Proxy (Orange cloud), SSL=Flexible, Universal SSL, HSTS=On (listed in HSTS Static Preload List), Minimum TLS version = 1.0, No redirect/filter Rules or anything like that. Everything was working fine for almost a decade until 22nd of April.

The problem is: once SSL certificate expires it is no longer renewed. Cloudflare issues SSL certificates via Google Trust Services and via Let’s Encrypt (backup). As soon GTS certificate hits expiration day it is not renewed automatically, and the website became unavailable via HTTPS (Chrome reports ERR_SSL_VERSION_OR_CIPHER_MISMATCH). Let’s Encrypt backup certificates are present but not used.

I tried to resolve this issue these ways:

Turning Universal SSL off and on
Deleting defunct website from CF account and add it back to the same account
Deleting defunct website from one CF account and add it to the fresh account, making website configuration from the scratch
Do nothing and just wait for the certificate renewal process completion for few days.

No luck. Whatever I do I see the same error message (see the screenshot attached): Initializing (Error) The certificate authority will not issue for this domain. Please check your input or try another authority. Certificate Transparency logs (crt.sh) have no records of GTS certificate renewal for these domain names. Since all these websites are listed in HSTS Static Preload List, the failure to renew the certificate makes them dead in the water immediately.

Was the site working with SSL prior to adding it to Cloudflare?

No. It was initially HTTP only. SSL has been turned on in 2016.

What is the current SSL/TLS setting?

Flexible

Screenshot of the error

cf150 · May 1, 2025, 6:28pm

It seems this guy has same problem: Error with universal SSL certificate

krugliak · May 5, 2025, 8:27am

Yes. Same problem

hornedhedgehog · May 14, 2025, 2:17pm

in my case helped disable cloudflare proxy

Topic		Replies	Views
Problem with Universal SSL certificate renewal Security	10	1087	April 5, 2023
Error initializing Universal SSL Security	8	140	May 16, 2025
Universal ssl doesnt renew and Site Goes See Error Security	4	1209	October 21, 2022
SSL renewal 1 General	2	17	December 26, 2024
Please help! Universal SSL certificate expired in one of my first level subdomains and did not renew Security	19	2141	May 7, 2023