Cloudflare Certificates are now picked instead of AWS

We have a Universal Type certificate for *.example.com in Cloudflare.
Also, we have another certificate provisioned for specific.example.com in AWS via ACM.

Now, before today, all the requests to https://specific.example.com was pointing to AWS certificates (chain), but since today, all the requests to the same URL are now picking up the Cloudflare certificates (chain). We have no idea why is this happening. No configuration was done on either AWS or cloudflare from our side.

Only thing that we see is that the Universal certificate is renewed today, but that doesn’t tell us if that’s the cause of this problem or the effect of it. The reason I am raising this issue is because we have SSL Pinning enabled for our Android Application, and we had AWS Certificates pinned for the last 1 year and now since cloudflare certificates are being picked, pinning is failing.
Any help would be appreciated.

Thanks

Are you sure you ordered an Advanced Certificate with AWS? I’ve never seen that as an option:

1 Like

Apologies for the confusion but when I say ACM, I meant AWS Certificate manager. Not the cloudflare’s Advanced CM. Basically hitting specific.example.com should have given certificates configured in AWS but it gave the certificate for *.example.com which is configured in Cloudflare.

Has specific.example.com been switched from “DNS only” to “proxied” by mistake?

3 Likes

Yes it is Proxied but it was done 6 7 months before, we should have faced this much earlier than today

If it was proxied for that long, queries for that host would have only been able to see the Cloudflare edge certificate. You’ll need to check if the application is actually querying that name, or falling back to an IP address or something else, like a redirect or a direct-to-AWS link, that meant it was bypassing the Cloudflare proxy.

(I assume you have Universal SSL and haven’t uploaded your own certificate to the Cloudflare edge?)

What is the domain and subdomain?

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.