Attackers might be trying to steal your information from **theisifiso.com** (for example, passwords, messages or credit cards).
NET::ERR_CERT_DATE_INVALID
I have a valid Let’s Encrypt certificate installed on the server - https://snipboard.io/czuthv.jpg
But when I connect Cloudflare to my website, after a few minutes, my website goes down. I can get it online only if I pause Cloudflare.
I checked my website against SSL Shopper and it seems to still refer to an old expired certificate from 2022 - https://snipboard.io/q2HdbG.jpg
This certificate and the key still exists on my server if I check through cpanel - could this be the reason why the old certificate is still linked to my website?
I am new to SSL and Cloudflare, so I am really confused as how to proceed.
acme: error code 403 “urn:ietf:params:acme:error:unauthorized”: Incorrect TXT record “1_IGqtENjNs5NwNuAdo_D8gg7aQ0zTHm5q3aAb_A5EY” (and 1 more) found at _acme-challenge.theisifiso.com
How do I fix this please? Or is this not an error?
And if this is not an error, why is SSL Shopper / Cloudflare pointing to an expired certificate?
I have tried all modes, removed the domain from Cloudflare and added it back in and nothing works. If I pause Cloudflare, the site comes back up.
My Edge certificate still shows as Pending. Its been few hours since I added the domain and I cannot see how to speed it up. But this will affect what’s going on? https://snipboard.io/ksSxE1.jpg - See image for details. I can’t see anything obviously wrong, except it has been saying Pending validation since I added the domain few hours ago.
My hosting support team are telling me that Cloudflare is somehow still referring to an expired Let’s Encrypt certificate. Not sure how I can verify this. They are also suggesting I switch the nameservers to their servers for 24 hours and switch it back. Will this make a difference?
I was going to ask you to check you Cloudflare DNS for the two _acme-challenge.theisifiso.com.TXT records, but your whois indicates that your Cloudflare account is not currently active.
Your Cloudflare edge certificate will never issue as long as your whois shows the following nameservers are assigned at your registrar:
Name Server: AMS-NS1.GREENGEEKS.COM
Name Server: CHI-NS1.GREENGEEKS.COM
Name Server: CHI-NS2.GREENGEEKS.COM
Name Server: SGP-NS1.GREENGEEKS.COM
You must use the assigned Cloudflare nameserver pair and only the assigned Cloudflare nameservers in order to acquire your Universal SSL certificate.
Once you are using your assigned Cloudflare nameservers, it will possible to continue troubleshooting.
I came across a detail that might shed some light on what is happening here, @isifiso.clothing.
Can you look in your Cloudflare DNS to see if you have NS records created for _acme-challenge.theisifiso.com.?
It appears there is some Greengeeks documentation that suggests delegating _acme-challenge records to their nameservers. They may have written it with good intentions before Cloudflare was using Let’s Encrypt and DNS-01 challenges in their Universal SSL issuance, but following those guidelines will break your Cloudflare Universal SSL with absolute certainty.
If Greengeeks has an option that allows for self-service installation of an SSL certificate, you may want to install a Cloudflare Origin CA certificate.
That’s generally not a good idea, as you will make your site insecure if you switch to the legacy modes. Make sure you are on Full Strict. As for the issue → @epic.network
I did have the Cloudflare’s nameservers in place before Greengeek’s support team instructed me to change it. They also asked me to disable proxy for the A record, which I did. And as you say, its a wasted exercise as I knew the website works if you remove Cloudflare servers from the registry and disabling the proxy makes no visible difference. Anyway, I am the mercy of people who know better - so have to jump through their hoops.
Within Cloudflare, these are my DNS settings:
I have repointed my Cloudflare nameservers now.
And I do have NS records for _acme-challenge in my DNS entries - see image above. Should I delete these? And yes, I can install the origin server certificate on my server.
But good news is that my website is up and running! Not sure how!
Now that my website is up, I realised I had a plugin on my wordpress website called Super Page Cache for Cloudflare. I have disabled this as I am worried it was clashes with Cloudflare’s settings. I had added this to increase performance on the website a while ago.
I understand how it could feel that way when you have been trying random actions in the hope of finding one that worked.
The NS records that delegate your _acme-challenge record to the Greengeeks nameservers are at the heart of this specific issue. Greegeeks suggests that configuration so they can use a DNS-01 challenge to issue Let’s Encrypt certificates for your origin. This conflicts with Cloudflare needing to do the same thing for your edge certificates.
Issuing a Cloudflare Origin CA origin certificate will prevent you from needing Let’s Encrypt on your origin. It will require you to keep the Cloudflare proxy active since it is only trusted by Cloudflare.
You have some other DNS entries that could stand some adjustment, but they are outside the scope of the topic at hand.
Also, your comment on optimising other DNS settings has me intrigued. I will open another request - but ask for optimisation feedback on my DNS settings.
My website is up. My SSL certificate and backup certificate has been issued. I am hoping the Edge certificates will get renewed automatically and all will be well.
Thank you for all your help in this matter. Every single comment made me understand the issues a bit better.
since it is only trusted by Cloudflare.
