When adding the SSL, I’ve been given the following error:
Add a SSL Certificate for goid.com.sg
Error:
The domain goid.com.sg is not supported by the certificate CN/SAN matches [static.goid.com.sg] and misses [Cloudflare Origin Certificate]."
I’ve contacted IBM Cloud support and they have replied as follows:
Basing on the message: The domain goid.com.sg is not supported by the certificate CN/SAN matches [static.goid.com.sg] and misses [Cloudflare Origin Certificate]." it looks you have 2 problems with this certificate:
the CN is missing ie: I run the command openssl x509 -in static.goid.com.sg.pem -text and it looks the CN is missing .
it misses the Cloudflare Origin Certificate I would suggest to contact the certificate issuer about how to fix this problem.
Origin certificates do have a CN of “Cloudflare Origin Certificate”, however their SANs match the domains. The error message would leave the impression IBM checks both fields but would expect only one to be valid, which is the case for SAN.
So either they do require both fields to be valid, in which case you couldnt use an origin certificate or they are missing the certificate’s root certificate, in which case it should be enough to provide the certificates listed on the page you linked under “Intermediate certificate”.
I’d try the intermediate certificate route and if that still does not work contact IBM again and ask for further feedback on the actual reason for the error.
Another option to achieve what you want to do (get Cloudflare to communicate securely with your servers), is to get free, valid, well accepted standard certificates, from letsencrypt.org. Those can bear your domain in the CN and also *.yourdomain - and you can use automated generation of these certificates completely outside your servers with DNS validation. And you can do that automatically, and if IBM Cloud has an API (which they likely do) - install them automatically as well; Which you’ll probably want to do, because unlike Cloudflare’s origin certificates… they expire every 90 days. But hey, they’re free.
As a bonus, if you use Let’s Encrypt’s certificates, your site can still work for your users if you have to pause Cloudflare service, either temporarily, or, permanently. You’ll enjoy having your software stack ready to serve users with TLS and won’t need to deal with this and possibly a downtime.
Finally, maybe IBM Cloud themselves have a feature to automatically provision certificates for your service. Amazon has this in AWS, for example - you just add a record in DNS once to prove you own the domain - and they create the cert, install it on their CDN/LB automatically, and the same happens again after a year+ when it’s time to renew. You don’t have to do anything. Just like Cloudflare’s Universal SSL service, but at your origin So you could ask IBM if they have such a service. Cloudflare do not need THEIR origin certificate - they need a certificate that they can trust - it can be either one they generated - or - any other cert that will validate at your friendly browser.
I’m aware that LetsEncrypt does provide free SSL certs, but they’re short-lived. Since I’m not running a dedicated OS, I can’t set up a cron job to re-run Certbot.
Unfortunately, IBM Cloud does not give out certificates for free like AWS does
I’ve tried uploading the Cloudflare Origin CA (RSA) to the Intermediate Certificate (Origin) field on IBM Cloud. Unfortunately, the same error persists.
In that case I’d contact IBM again and clarify what the precise reason for the error is. The CN does not match but the SANs do. If you uploaded the root certificates we should be able to rule that out as well.
“the reason of the error is that the CN field in the Subject, points to sni.Cloudflaressl.com while the certificate was loaded for the domain goid.com.sg.”
That now seems they attempted to verify the certificate configured on Cloudflare’s servers and not the certificate you provided for your server. I believe they might have mixed that up.
The question should be why they cant verify the origin certificate and that certificate should not have such a CN.
So you could ask IBM if they have such a service. Cloudflare do not need THEIR origin certificate - they need a certificate that they can trust - it can be either one they generated - or - any other cert that will validate at your friendly browser.