Background: Over the weekend, I migrated one of my domains from Google Domains to Cloudflare as the registrar. I don’t recall if I disabled DNSSEC in Google Domains before initiating the transfer, but I’m not sure that’s even relevant here.
Goal: My goal is to redirect this website (let’s say, example.com) to another website (ex.ample.net)
Problem: Cloudflare hasn’t issued a certificate for my website (example.com from the example above). The certificate being offered for the website is one that was generated by Google and expired in Jan 2023. CF helpfully shows me the following message on the DNS settings page: “This hostname is not covered by a certificate” but doesn’t tell me how to fix it. I have updated the nameservers to the ones Cloudflare says to use and confirmed that change using WHOIS.
How can I force the generation of a new certificate by Cloudflare? I’ve already enabled the “Full (strict)” mode under SSL/TLS settings.
If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
Thank you. As mentioned in my original post, dreamchipotle.com is just an example. The actual domain is registered, shows as Active on https://dash.cloudflare.com/ and I confirmed using both dig and whois that its authoritative nameservers are set to irma.ns.cloudflare.com and trey.ns.cloudflare.com.
In this case, we need to confirm that there are actually hostnames in the zone. My suspicion is you don’t have an apex/root or WWW A or CNAME record defined, which means a certificate order cannot be created.
$ nslookup example.com 126.96.36.199
$ curl -v https://example.com
* Trying 188.8.131.52:443...
* Connected to example.com (184.108.40.206) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I did share the output from dig in post 10 but sharing it here again:
$ dig example.com
; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61704
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 220.127.116.11
example.com. 300 IN A 18.104.22.168
;; Query time: 366 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Jun 29 01:07:49 PDT 2023
;; MSG SIZE rcvd: 77
Please note that if I bypass the certificate warning, the domain does get redirected as I’ve configured in the Redirect Rules section so I think I am connecting to Cloudflare. I followed the instructions at https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/manage-domains/redirect-domain/ to set up this redirection.
My suspicion is that this is caused by something we need to investigate more thoroughly with you in a secure space. I want to open a ticket for you but I need to identify you. Could you DM me with your domain and email address so I can get this in my system?
Thank you @CFBrandon - I’ve responded on the ticket. I also really appreciate the help I’ve received in this discussion so far from @anon9246926, cscharff, and simon (can’t tag more than 2 users in a post)