Cloudflare is SEC_ERROR_UNKNOWN_ISSUER?

user3732 · February 19, 2021, 2:22pm

Hello,
Here’s a good one (error).

OK, here’s my setup, I might have missed something:
A docker container is running at https://192.168.1.236:2021 (necessary for wss) at home.
Another Nginx Proxy Manager container is routing cloudflare subdomain to https://192.168.1.236:2021
Since 443 is managed by Nginx Proxy Manager I can’t give it to 236
https://192.168.1.236:2021 is working (with cert error of course, but working)
NAT/PAT opened ports 80/443

When I visit https://tsi.mydomain.com/ from TOR (so it’s a pure external route) I get:SEC_ERROR_UNKNOWN_ISSUER
while Certificate is my cloudflare origin certificate
Accepting the “risk” sends to the correct page and wss is working.
See

Both Nginx Proxy and the local server at 2021 use the origin server
Cloudflare is Full strict, redirect to https.

I double checked and the same settings (AFAIK) were working for another local test server, same ISP.

I already setup other domains in the past with the same infrastructure and pipeline but never got this error.

Oh, and, that’s new, when I test from my machine I get a SSL certificate error issued from my ISP, but when I test with 4G, I have the same error as with TOR (Cloudflare as unknown issuer)

Any idea?

fritexvz · February 19, 2021, 1:06pm

At first sight, your domain is not pointed to Cloudflare nameservers?
rLeaLitis.com is not registered domain.

Do you proxy over 2021 port or some other?

Kindly, if you can check and change the port accordingly to the compatible ones with Cloudflare from the list below:

user3732 · February 20, 2021, 4:24pm

Thanks @fritexvz yeah, correct domain was visible in the screenshot. Nevermind. I edited it to for security purpose.

To solve my issue I removed Cloudflare from the equation using letsencrypt certificate and pausing cloudflare until I make sure it worked fine.

Reactivating cloudflare without DNS fired the same error.
Reactivating the proxy (orange cloud) made it work.

Bonus error: My ISP superseeds the certificate so I must use TOR to see the result. And changing TOR identity is not enough to clear the cache, I must close and relaunch TOR to really see changes. That added a layer of complexity.

I use another subdomain now

system · February 20, 2021, 2:24pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.