Cloudflare working but SSL signature not recognized by browsers on .tk domain name

Hi community,
I have two .com professional domain names and some freenom names (.tk, ml, gq etc) for test, and about the free ones I’m currently testing only .tk.

I have a wordpress site at https://www.diegobittencourt.tk/, nameservers are currently pointed to Cloudflare servers (checked in DNS Propagation Checker - Global DNS Testing Tool), Cloudflare recognizes the protection as active and everything seems to be working. Before activating the protection, I installed on my server a certificate issued by cPanel and then I activated Cloudflare in “Complete (strict)” mode, which requires a trusted certificate in server. But despite the fact Cloudflare protection seems to be active, browsers (like Chrome, Firefox and Tor) don’t recognize the certificate as issued by Clouflare:

Screenshot from 2021-06-29 13-42-41542×662 41.6 KB

I’ve done the same process with my .com domain names, on the same server, with same cPanel certificate installed on origin server and with the Complete (strict) Clouflare protection, and browsers recognize the certificate as issued by Cloudflare:

535×657 41.2 KB

Another strange thing is: with Cloudflare removed from my .tk domain name, browsers recognize as issued by “cPanel”, and with Cloudflare protection, they recognize issued by “R3 Let’s Encrypt”.

I think these things can’t create any practical problems about performance and security once the protection is recognized as active on the panel, but is there any way to make browsers recognize Cloudflare signature on that .tk domain name? In future I’ll probably create some free projects using freenom names and it’d be good to have Clouflare signature in browsers by default.

Obs: sorry if text is too long, I tried to explain the whole situation the more objective I could.

Obs2: I tested once the same process (used for .tk and for two .com domains) for a .ml domain, and as I remember, everything worked ok and browsers recognized Cloudflare signature just like in the case of the .com domains, I’ll test it again in .ml to be certain of it and will post here if there are interested members in this discussion. What I suspect is that Cloudflare has a restriction about .tk domain name for some reason just like Infinityfree server has (only about .tk, not about the others from freenom like .ml for example). I don’t use Infinityfree hosting anymore but a paid one, I just mentioned it as a curiosity I read in Infinityfree forum posted by Team when I was using their free service.

Thanks in advance,

Diego.

Cloudflare uses different CAs to issue proxy certificates and one of them is Lets Encrypt. So in your case you do have a Lets Encrypt certificate on the proxies and that will be automatically managed by Cloudflare.

In one case you are connecting to your server and get your server certificate, in the other you get the proxy certificate. Perfectly fine as well.

Crystal clear explanation, thanks. But is there any criteria relative to domain name extensions in the Cloudflare process of giving different CAs? I always activated the two .com domain names with Cloudflare signature, and that tk always had Let’s Encrypt,

Now that I know that Let’s Encrypt signature is used by Cloudflare, it is easy to understand, thanks.

Cloudflare is generally often shifting certificates and currently it is mostly towards Lets Encrypt certificates. Before they had shared certificates, for example, but these are not really in use any more. But these migrations never happen all at once.

Generally, there’s not much to do when it comes to proxy certificates as those really are fully managed by Cloudflare and are always signed by a publicly recognised CA.