CloudFlare proxied websites don't work on Virgin Media but do on EE and some U.S providers

I have a major problem, and Cloudflare are deliberately delaying replies, and dont want to do tech support by phone. Waiting for replies to emails is like watching paint dry, they just don’t care!

Around 4 days ago, I updated my DNS websites on GoDaddy to go through Cloudflare and then set about setting up SSL using a Cloudflare self signed certificate to add SSL to all of my sites.

The DNS move worked like a charm and my sites are now being proxied via Cloudflare.

Now the SSL or HTTPS is a problem.

I am using Virgin Media, and on my cell phone I am using EE.

If I access the websites via EE, the SSL pops up just fine, when I do the exact same thing through Virgin Media the SSL is not working.

When accessed via EE it shows secure, and using “TLS 1.3”.
When Accessed via Virgin Media, it does not saying “Connection is not secure”.

It also says:

"Your connection is not private

Attackers might be trying to steal your information from thednclan.net (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID"

I am not sure what is going on, and also I cannot access my emails via email clients such as AquaMail in both instances and I mean both providers.

I am not sure what is going on.

NOTE: I have another domain which is set up in the exact same way as the domain above, aside from the certificate being different (different domains) and it works just fine.

Isn’t it funny how this is being deliberately delayed!

It could be the DNS propagation issue, if so, or a DNS cache.

May I ask what kind of SSL option have you got selected under the SSL/TLS tab for your domain at Cloudflare dashboard? (Flexible, Full, Full Strict ...)

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

If any other issues appear, follow the needed steps for troubleshooting from article below:

Regarding available SSL options at Cloudflare dashboard, check here:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare CA Origin Certificate:

• Origin CA certificates · Cloudflare SSL/TLS docs

Last but not least, kindly have a look here for more information regarding correct SSL settings:

May I suggest looking into below article for a solution:

As far for now, at first sight Website is working fine and loading up from by side over HTTPS.

Screenshot 2021-08-23 at 18-47-13 «DN» Dark Nexus Home1918×1041 178 KB

For me it is not, this is what I see:

2021-08-231920×1080 79.2 KB

I am not making it up you know…

2021-08-23 (4)1920×1080 81.2 KB

Also: “http://thednclan.net” is what you used not “https://thednclan.net”.

For the record, I have now waited close to 48 hours so far!!!

DNS names I updated BEFORE adding SSL to the domain names FYI.

Also, I have enabled “Full” encryption on ALL of my domains!

Thank you for your feedback.

I got redirected from HTTP to HTTPS.

May I ask have you tried:

1. Clearing your Web browser cache?
2. Accessing your Website using a Private Window in your Web browser?
3. Accessing using another Web browser if you have at least two installed on your device?
4. Accessing using a VPN connection?
5. How about restarting your home router?

Kindly, try with this too:

This is going to the origin directly. There is an issue with DNS caching, either locally or at the ISP.

I am rapidly losing my patience.

You all seem to be desperately trying to make out the problem is my side when it is clearly not.

I have tried all of the suggestions by fritexvz and I am still getting the same problem.

This same problem happens on my laptop, PC and phone when I use my ISP’s internet, when I use my phone net with a different provider, it works fine, but I am unable to get to my emails on my phone though my phone carrier using Aquamail.

I am not going to us a VPN so you can avoid even attempting to resolve this matter.

It may also be worth mentioning that I have a friend in Texas who also tried to access it and got EXACTLY the same problem as I am getting, yout according to CloudFlare, I am a “liar”.

I have another domain attached to my cloudflare accoount and that is set up EXACTLY the same way as the two I am having issues with, yet it works fine!

Not impressed with this deliberate delay!!!

More deliberate delays!

No one is desperate to do anything of the sort. You made a DNS query, you get 2 different answers. Off the virgin media network you get the correct answer. on the Virgin media network you get the wrong answer.

Cloudflare’s nameservers are only giving one answer… the IP address of the Cloudflare proxy.

➜  ~ dig  www.thednclan.net @1.1.1.1

; <<>> DiG 9.10.6 <<>> www.thednclan.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29700
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.thednclan.net.		IN	A

;; ANSWER SECTION:
www.thednclan.net.	300	IN	A	104.21.76.47
www.thednclan.net.	300	IN	A	172.67.187.175

Since you are getting a different answer from Virgin media which points to your origin server, something else is giving a different/ wrong answer. @matteo and @fritex have both provided logical, consistent and detailed suggestions for the cause and remediation.

You can run the same dig command or an nslookup equivalent to determine what IP address is being returned (it’s your origin IP based on the screenshot). The DNS value being returned is being returned by the DNS server specified in your OS while on that network.

I have no idea what this means. How is it related to the web page not rendering.

None of the people replying in this thread work for Cloudflare nor have they called you a liar. Not sure what to tell you beyond the same thing others here have stated, it is likely a DNS caching issue with your provider.

DNS Checker - DNS Check Propagation Tool

There is no delay. The answers were provided as to the likely causes. There doesn’t appear to be any evidence that Cloudflare is returning incorrect IP addresses for your origin. Unfortunately Cloudflare doesn’t control the DNS settings of 3rd party DNS resolvers.

Due to e-mail issue, you have got:

0   _dc-mx.01310ca242ee.thednclan.net   160.153.16.27 
27.16.153.160.in-addr.arpa ->  ip-160-153-16-27.ip.secureserver.net

Obviously, this could mean you have misconfigured e-mail at DNS tab.
Or, the e-mail record like A mail or some other to which the MX record is pointed is being proxied via Cloudflare ( cloud).

• maybe you have a CNAME record for yourdomain.com, and then your e-mail client is actually using yourdomain.com which is cloud

An MX record should point to a subdomain, such as ‘mail’, and the “A” type DNS record for that hostname should be set to DNS Only.
If you have CNAME record, remove it.

Example:

example1031×247 7.8 KB

Cloudflare does not proxy e-mail traffic, only web traffic - the same goes for the Cloudflare Origin CA Certificate, if you use it.

Furthermore, to have your e-mail secure, use a valid SSL certificate.

More information how to propperly setup e-mail while using Cloudflare and about e-mail troubleshooting and deliverability issues can be read here:

https://support.cloudflare.com/hc/en-us/articles/200168876-Email-undeliverable-when-using-Cloudflare

Usefull tips about e-mails to consider:

DNS has updated to CloudFlare servers.

It is just not showing the SSL properly here… How many times do I need to say it?

Virgin Media:
Computer access → “Privacy error”
Mobile phone access → “Privacy error”

EE (Mobile phone network)
Mobile phone access → Working fine.

I updated the email suggestion and it is now working, thanks.

Now I just want my site to load correctly with HTTPS but it wont because something is preventing the SSL certificate I am using being valid aparrently. Thats what I am being told from the screenshots above.

The error you are receiving shows a Cloudflare Origin certificate in the error message. The Cloudflare origin certificate is only present on your origin. It isn’t present on Cloudflare’s edge. The SSL error you are receiving is because your browser is connecting to your origin server’s IP address not the IP address of Cloudflare’s edge server.

A Cloudflare origin certificate is intended to be used to secure the connection between Cloudflare’s edge and your origin server. It is signed and trusted by Cloudflare’s network because Cloudflare issued it, but it is not trusted by user’s browsers nor is it intended to be. Users are supposed to hit Cloudflare’s edge server where a valid cert issued by a publicly trusted CA is present and Cloudflare then provides the other services because the record is proxied.

On your machine edit your host file and add an entry for

thednclan.net 104.21.76.47

That is one of the proxy IP addresses. With that hardcoded on your machine you will see the Cloudflare edge certificate is displayed. Until whatever DNS server Virgin Media provides has the correct value the origin IP address it is currently returning will continue to prompt with a certificate error for anyone who gets that value back from them. Cloudflare, nor anyone in the forum can force Virgin Media or whatever upstream server is being used while on their network to update their DNS cache for the entry. Whosever manages that DNS server would need to do it.

In my DNS records, I have an “A” record that is set to go to the “origin server” but it is proxied.

Does that help you figure out this problem?

The issue is not in the DNS records. It’s in the DNS server used by your ISP. Change it on your device and it will work… We are going in circles here.

Where is and what is the “host file”?

And we are not going in circles, I am trying to fix this and its NOT working!!!

It’s a configuration file in the OS, but if you don’t know what that is, it’s better to leave it alone.

You can’t fix it, it’s a caching issue of the A (or NS) entries. It should solve itself once the caches expire. In the mean time, you can use an alternative DNS server on the devices when using the ISP in which it doesn’t work. Unfortunately, if the cache of the entries was particularly long it needs to expire by itself, unless there is a way to force the expiration, which is specific to the actual ISP/service, nothing Cloudflare, nor us can do.

Are you saying that there is nothing wrong with my configuration?

I mean I have 3 websites currently being accellerated by CloudFlare, 1 works just fine, the other 2 do not.

This is my issue, but the one that works was added to CloudFlare once registered so that may be the reason it worked almost instantly after I added the CloudFlare configuration…

Not right now, exactly. It might have been way too long of a TTL before, but we can’t know unless you run some nslookup/dig commands on the not working ISP.

If they all work using some ISPs, then the config works.

I know that the DNS records are updated globally…

What can I do to get this working properly?

You have mentioned “TTL” in your previous post, could you suggest how I update that to be faster?