Background: Over the weekend, I migrated one of my domains from Google Domains to Cloudflare as the registrar. I don’t recall if I disabled DNSSEC in Google Domains before initiating the transfer, but I’m not sure that’s even relevant here.
Goal: My goal is to redirect this website (let’s say, example.com) to another website (ex.ample.net)
Problem: Cloudflare hasn’t issued a certificate for my website (example.com from the example above). The certificate being offered for the website is one that was generated by Google and expired in Jan 2023. CF helpfully shows me the following message on the DNS settings page: “This hostname is not covered by a certificate” but doesn’t tell me how to fix it. I have updated the nameservers to the ones Cloudflare says to use and confirmed that change using WHOIS.
How can I force the generation of a new certificate by Cloudflare? I’ve already enabled the “Full (strict)” mode under SSL/TLS settings.
Yes, I see that but I’m not saying I didn’t disable DNSSEC. I’m not sure if I did it. I am able to set DNS records for the hostname which suggests to me that I did disable DNSSEC.
Yes, just redirect for now, not serve any content.
Yes, though I was using 192.0.2.1 instead of 192.0.2.0. I’ve just changed it but it’s not clear to me if that is the reason for not issuing the certificate.
If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.
Thank you. As mentioned in my original post, dreamchipotle.com is just an example. The actual domain is registered, shows as Active on https://dash.cloudflare.com/ and I confirmed using both dig and whois that its authoritative nameservers are set to irma.ns.cloudflare.com and trey.ns.cloudflare.com.
That’s a fair point but I can’t do that because it contains PII. I have tried to post the actual output of dig and whois on my domain name, just replaced the domain name with example.com:
$ whois example.com
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
refer: whois.verisign-grs.com
domain: COM
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
contact: administrative
name: Registry Customer Service
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
phone: +1 703 925-6999
fax-no: +1 703 948 3978
e-mail: [email protected]
contact: technical
name: Registry Customer Service
organisation: VeriSign Global Registry Services
address: 12061 Bluemont Way
address: Reston VA 20190
address: United States of America (the)
phone: +1 703 925-6999
fax-no: +1 703 948 3978
e-mail: [email protected]
nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30
nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30
nserver: C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30
nserver: D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30
nserver: E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30
nserver: F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30
nserver: G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30
nserver: H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30
nserver: I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30
nserver: J.GTLD-SERVERS.NET 192.48.79.30 2001:502:7094:0:0:0:0:30
nserver: K.GTLD-SERVERS.NET 192.52.178.30 2001:503:d2d:0:0:0:0:30
nserver: L.GTLD-SERVERS.NET 192.41.162.30 2001:500:d937:0:0:0:0:30
nserver: M.GTLD-SERVERS.NET 192.55.83.30 2001:501:b1f9:0:0:0:0:30
ds-rdata: 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
whois: whois.verisign-grs.com
status: ACTIVE
remarks: Registration information: http://www.verisigninc.com
created: 1985-01-01
changed: 2019-08-14
source: IANA
# whois.verisign-grs.com
Domain Name: EXAMPLE.COM
Registry Domain ID: 2317179823_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: http://www.cloudflare.com
Updated Date: 2023-06-24T06:54:28Z
Creation Date: 2018-10-03T17:51:18Z
Registry Expiry Date: 2024-10-03T17:51:18Z
Registrar: CloudFlare, Inc.
Registrar IANA ID: 1910
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: IRMA.NS.CLOUDFLARE.COM
Name Server: TREY.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2023-06-29T00:05:58Z <<<
# whois.cloudflare.com
Domain Name: EXAMPLE.COM
Registry Domain ID: 2317179823_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: https://www.cloudflare.com
Updated Date: 2023-06-24T06:54:28Z
Creation Date: 2018-10-03T17:51:18Z
Registrar Registration Expiration Date: 2024-10-03T17:51:18Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Domain Status: clienttransferprohibited https://icann.org/epp#clienttransferprohibited
Domain Status: transferperiod https://icann.org/epp#transferperiod
Registry Registrant ID:
Registrant Name: DATA REDACTED
Registrant Organization: DATA REDACTED
Registrant Street: DATA REDACTED
Registrant City: DATA REDACTED
Registrant State/Province: CA
Registrant Postal Code: DATA REDACTED
Registrant Country: US
Registrant Phone: DATA REDACTED
Registrant Phone Ext: DATA REDACTED
Registrant Fax: DATA REDACTED
Registrant Fax Ext: DATA REDACTED
Registrant Email: https://domaincontact.cloudflareregistrar.com/example.com
Registry Admin ID:
Admin Name: DATA REDACTED
Admin Organization: DATA REDACTED
Admin Street: DATA REDACTED
Admin City: DATA REDACTED
Admin State/Province: DATA REDACTED
Admin Postal Code: DATA REDACTED
Admin Country: DATA REDACTED
Admin Phone: DATA REDACTED
Admin Phone Ext: DATA REDACTED
Admin Fax: DATA REDACTED
Admin Fax Ext: DATA REDACTED
Admin Email: https://domaincontact.cloudflareregistrar.com/example.com
Registry Tech ID:
Tech Name: DATA REDACTED
Tech Organization: DATA REDACTED
Tech Street: DATA REDACTED
Tech City: DATA REDACTED
Tech State/Province: DATA REDACTED
Tech Postal Code: DATA REDACTED
Tech Country: DATA REDACTED
Tech Phone: DATA REDACTED
Tech Phone Ext: DATA REDACTED
Tech Fax: DATA REDACTED
Tech Fax Ext: DATA REDACTED
Tech Email: https://domaincontact.cloudflareregistrar.com/example.com
Registry Billing ID:
Billing Name: DATA REDACTED
Billing Organization: DATA REDACTED
Billing Street: DATA REDACTED
Billing City: DATA REDACTED
Billing State/Province: DATA REDACTED
Billing Postal Code: DATA REDACTED
Billing Country: DATA REDACTED
Billing Phone: DATA REDACTED
Billing Phone Ext: DATA REDACTED
Billing Fax: DATA REDACTED
Billing Fax Ext: DATA REDACTED
Billing Email: https://domaincontact.cloudflareregistrar.com/example.com
Name Server: irma.ns.cloudflare.com
Name Server: trey.ns.cloudflare.com
DNSSEC: unsigned
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4153197517
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2023-06-29T00:06:13Z <<<
$ dig example.com
; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61704
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 104.21.10.183
example.com. 300 IN A 172.67.190.200
;; Query time: 366 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Jun 29 01:07:49 PDT 2023
;; MSG SIZE rcvd: 77
If there are any other ways to verify the correctness, I’d love to know them myself.
When you visit the SSL tab in the dashboard, what is the certificate status shown as?
Also, which hostname is showing as not covered by a certificate? It’s expected that second level hostnames e.g. sub.sub.example.com are not covered by the Universal SSL wildcard certificate:
In this case, we need to confirm that there are actually hostnames in the zone. My suspicion is you don’t have an apex/root or WWW A or CNAME record defined, which means a certificate order cannot be created.
We tested this and I’m wrong - because we use TXT validation - we can and do place the order for the certificate for Full zones (those that use our nameservers) and it should issue normally.
I think we need more information from you about what error you’re actually seeing
That implies that you might actually be connecting directly to your origin, not Cloudflare. You need to make sure you have:
a) a DNS record defined in your Cloudflare DNS that has the Proxy Mode On (aka Orange clouded)
b) when you resolve DNS locally, it should return a Cloudflare IP because you have the proxy mode on
If a & b are happening, then I would expect things to work. You’ll need to share more output from dig, cURL etc (you can redact names if you wish) for people to help you further.
$ nslookup example.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: example.com
Address: 104.21.10.183
Name: example.com
Address: 172.67.190.200
$ curl -v https://example.com
* Trying 172.67.190.200:443...
* Connected to example.com (172.67.190.200) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I did share the output from dig in post 10 but sharing it here again:
$ dig example.com
; <<>> DiG 9.10.6 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61704
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 104.21.10.183
example.com. 300 IN A 172.67.190.200
;; Query time: 366 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Thu Jun 29 01:07:49 PDT 2023
;; MSG SIZE rcvd: 77
Please note that if I bypass the certificate warning, the domain does get redirected as I’ve configured in the Redirect Rules section so I think I am connecting to Cloudflare. I followed the instructions at https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/manage-domains/redirect-domain/ to set up this redirection.
My suspicion is that this is caused by something we need to investigate more thoroughly with you in a secure space. I want to open a ticket for you but I need to identify you. Could you DM me with your domain and email address so I can get this in my system?
Thank you @CFBrandon - I’ve responded on the ticket. I also really appreciate the help I’ve received in this discussion so far from @anon9246926, cscharff, and simon (can’t tag more than 2 users in a post)
