CloudFlare free managed SSL

Some domains use the Free Universal SSL from Let’s Encrypt Authority, others do not use Let’s Encrypt.

For those that use the Let’s Encrypt one, trying to cURL to them, we get cURL error 60 - expired certificate.

All the other domains do not have this problem.
There seems no way to update those certificates in CloudFlare, to get rid of the expired Let’s encrypt ones and get a fresh ones.

By the way - the browsers do not complain on those websites about the certificate. It seems valid.

So overall, this is somewhat confusing.

Hi @jotsib,

Could you give an example of a domain that has this problem?

Hi @albert

This produces cURL error 60 - it uses Let’s encrypt.
https://bit.ly/3lc9ZDp

On this cURL works with no issues - it doesn’t use Let’s encrypt
https://bit.ly/3FdSgmZ

Both <REDACTED> and <REDACTED> work fine for me - with both cURL and Firefox. Could you try checking whether cURL still has issues on your end?

EDIT: Domains were redacted by request from jotsib. You can find them using the the bit.ly links above.

May I ask is the Flexible SSL option selected under the SSL/TLS tab of Cloudflare dashboard for your domain?

Why not renewing the Let’s Encrypt SSL certficiate?

If you have the new one, I believe you would have to use at least Business Plan to upload them to Cloudflare.

Otherwise, you could buy a Dedicated SSL and install it at your origin host / server. Therefore, use Full (Strict) SSL option to have secured HTTPS connection.

In that case, may I suggest using Cloudflare Origin CA Certificate:

Still getting error 60 for the domain with the problem.
*Please, could you remove the domains from your last post?

I think my issue might be falling under the following cases:

I haven’t studied thoroughly the above two cases and I am not 100% clear about what I should to fix the issue.

But in my case the cURL runs from two different Ubuntu 16 servers and I also try to debug the PHP cURL script from my local MAMP pro on Catalina.

I also found this post:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

Regarding CloudFlare: How to force the regeneration of the SSL on those domains that CF added a Lets encrypt SSL?
And by the way, why CF assign to some domains the Lets Encrypt certificate?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.