Cloudflare shows my server's SSL and not Cloudflare's

Hello,

I have 2 websites in one server both using Let’s Encrypt. I have successfully added both of them to Cloudflare and I have enabled SSL. Everything works (mail, websites). One website shows Cloudflare’s SSL and the other one shows my server’s SSL (let’s encrypt). I have also checked the DNS settings and they look correct. I don’t think this is normal. Can you help?

Thank you

Most likely a DNS propagation issue and you just need to wait.

If your records are all properly proxied you’ll always connect to the proxies and only the proxies will get your server certificate. That being said, Cloudflare also uses Lets Encrypt for some certificates, so maybe you are actually getting the Cloudflare certificate and it was simply issued by Cloudflare.

What is the domain?

https://**************

It generally loads fine

image

But it does return a 503 sitemeer.com/#https://silvertraits.com. That should come straight from your server, however. You should check your server logs for hat.

Any yes, it appears as if Cloudflare used a Lets Encrypt certificate in this case.

One thing, you should probably lower your minimum SSL version to 1.2.

Hi Sandro. Thanks for your lightning fast responses.

Don’t mind the 503.

Can you also check the ******?
I reissued a certificate and now my browser show lets encrypt as well

I am using lets encrypt on the server. The process I use to reissue a certificate to my server is that I pause the cloudflare and then I reissue the certificate on my server. The certificate reissues correctly. Both sites now have lets encrypt certificates…

The naked domain, as well as the www record, both resolve to the proxies, so that should be fine.

The main issue really might be the minimum SSL version, as 1.3 is still not everywhere supported, so I’d set that to 1.2.

As for the certificate, there sometimes are issues when validating it through the proxies. In that case you could switch to a DNS-based validation or maybe even to Cloudflare’s Origin certificates. They are only valid in a proxied context, but they are really quickly issued and you can set their expiration date to 15 years.

Yes I will change the TLS. Thank you for your recommendation!!!

I have tried Cloudflare’s Origin certificates but I need a certificate for the mails as well and the Cloudflare’s Origin certificates don’t work (they are not trusted)…

Yeah for mail Origin certificates won’t work as they are only trusted by the proxies. In that case Lets Encrypt is the best approach. Maybe look into DNS validation if HTTP validation fails because of the proxies.

Thank you very much for your time and your useful advices

Kind Regards

Pleasure :slight_smile:

Dear Sandro,

Just a last question.

I am checking out the DNS validation you recommended. I am using Plesk that has integrated lets encrypt certificate issue. When I reissue the cert it creates the acme challenge in the DNS and it seems to work (reissues the cert). Do I need to add anything to cloudflare’s DNS?

Thank you for your time

That’s exactly what you referred to by the challenge. You need to make sure that you use the Cloudflare plugin, so that it gets created at Cloudflare, which is your authoriative nameserver.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.