One of our sites that uses Cloudflare with SSL got a scan. SSL security verification failed. The general shared SSL is PCI compliant, right?
This is the message we got:
FAIL - THREAT:
The SSL certificate for this service cannot be trusted
The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority
|-Subject : C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Domain Validation Legacy Server CA 2
|-Issuer : C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
The first one (subject) is the cloudflared. I have no idea where the second line (issuer) comes from. Does Cloudflare purchase theSSL from them? If so, I think they’re not listed in trusted certificate providers anymore. Can anyone here help to understand what’s going on with this?
Had / Vortx