I have been using Cloudflare for a while now and am facing issue where I deploy Cloudflare origin certificate on server and turns out universal certificate is already enabled and site only reflects that Lets encrypt certificate when i disable universal certificate its show ssl version/cipher mismatch error.
while before that since traffic was proxied from Cloudflare visiting the site would reflect Cloudflare origin certificate instead of that universal certificate.
Looking for a solution where the lets encrypt certificate is not used and my website reflects cloudflare certificate.
Answer these questions to help the Community help you with Security questions.
What is the domain name?
You are mistaken. That’s not how Cloudflare works. When a site is proxied Cloudflare is responsible for displaying an SSL certificate to the visitor because it is providing SSL termination in order to provide security and performance services. Disabling Universal SSL in lieu of having a certificate you have purchased / deployed on the edge leaves no way for Cloudflare to perform this inspection and results in the cypher mismatch error you are experiencing.
If you want to communicate directly with the origin server you can disable the proxy in DNS and set the record to DNS Only.But Cloudflare’s origin certificate will simply product a different error as it’s not trusted by browsers or really intended to be used in a manner where Cloudflare’s edge isn’t the service connecting to it.
So is there a way to display Cloudflare’s below attached certificate on browser instead on display Lets encrypt certificate.
That certificate is not issued by a valid certificate authority. Cloudflare is not a trusted certificate authority. That is why they use partners like Let’s Encrypt to issue valid certificates for them to display on Cloudflare’s edge. The certificate you have will not be trusted by the client’s browser. You can not use it on Cloudflare’s edge.
If you want to connect to it directly you need to disable Cloudflare’s proxy and send the traffic directly to the origin .
I understand your point, However is this change implemented now,
Because earlier I used Cloudflare certificate origin certificate to deploy it on server did TLS/SSL setting as full strict and Cloudflare was displaying above shared certificate on our site instead of that Lets encrypt certificate. Please visit
www.nfoods.com it show cloudflare certificate however it is different than what is deployed (origin certificate from cloudflare)on server.
But now it is showing edge certificate on browsers instead of the cloudflare certificate which was displayed earlier
You seem to have confusion around the term edge certificate. An edge certificate is known by that name because of its location on the network. The certificate detail from your screenshot is of an edge certificate, not an origin certificate.
The edge certificate is the one presented to your visitors by the Cloudflare proxy. An origin certificate goes on your server. It may be from a publicly recognized certificate authority or the Cloudflare Origin CA. The latter is trusted only by the Cloudflare proxy and will display an error in a web browser.
Cloudflare uses multiple certificate authorities. While the certificate you shared says that it was issued by Cloudflare Inc ECC CA-3 it is from the DigiCert CA. That issuer is being phased out of Cloudflare and while not yet completely gone, they will no longer be used at some point in the future.
You can add more control over your certificate issuer preferences by adding Advanced Certificate Manager. If you want to provide your own edge certificate, you can use Custom Certificates on the Business or Enterprise plans.
This is possibly due to configuration of the domain/server.
www.nfoods.com is going through Cloudflare
$ dig www.nfoods.com
www.nfoods.com. 187 IN CNAME www.nfoods.com.cdn.cloudflare.net.
www.nfoods.com.cdn.cloudflare.net. 187 IN A 220.127.116.11
www.nfoods.com.cdn.cloudflare.net. 187 IN A 18.104.22.168
nfoods.com is not
$ dig nfoods.com
nfoods.com. 203 IN A 22.214.171.124
And there is a LE certificate on
$ curl https://nfoods.com -svo /dev/null 2>&1 | grep -E '(issuer|subject)'
* subject: CN=nfoods.com
* subjectAltName: host "nfoods.com" matched cert's "nfoods.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
www.nfoods.com has a Cloudflare certificate
$ curl https://www.nfoods.com -svo /dev/null 2>&1 | grep -E '(issuer|subject)'
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* subjectAltName: host "www.nfoods.com" matched cert's "www.nfoods.com"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
https://nfoods.com both redirect to
https://www.nfoods.com the latter is a little hit-and-miss in terms actual connectivity to the nginx server.
The issue is that
www.nfoods.com has the Cloudflare Certificate showing up on the edge browser and that is CA authorized as its not showing red broken lock, but another website,
www.atcpak.com is showing Let’s Encrypt Cert on the browser.
Considering the fact that both have origin certificates from cloudflare on server and traffic of both is proxied through cloudflare.
How do I make it so that
www.atcpak.com also shows Cloudflare Cert instead of showing Let’s Encrypt Universal Cert in the browser…
I hope that i have made you understand the exact issue
@epic.network already answered this question for you.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.