CNAME Flattening and Full (Strict) SSL causes "Invalid SSL Certificate / Error 526)


#1

Hi,

I’ve recently switched my website’s SSL setting from “Full” to “Full Strict”. However, I noticed that the CNAME Flattening no longer works and instead I get thrown the “Invalid SSL Certificate” error.

Is there any reason as to why this occurs?

Ray ID: 496dfd0fed33996d


#2

That is most likely not a CNAME issue but by switching to strict (which generally was a good idea) Cloudflare now requires a valid certificate from your server, which you apparently haven’t got configured though.


#3

Thanks for the reply, but currently, I’m using Github Pages, which uses a valid Let’s Encrypt SSL certificate.

Furthermore, this error only occurs when visiting the website via the root domain (e.g: https://example.com/) instead of the ‘www’ domain (e.g: https://www.example.com/).

The latter works fine even with SSL (Strict) enabled. But the non-www url does not work.


#4

In that case your certificate might be issued only for www and not the naked domain. If you feel comfortable enough revealing the origin IP, please do so. I presume your origin IP address does not end in 21 any longer, right?


#5

Is the origin IP the IP address of the server serving the website?

If so, Github Pages (which is hosting the site) is “linked” via a CNAME record; Hence, there’s no definite origin IP to my knowledge.

Please correct me if I’m wrong


#6

Yes, it is. Can you post the CNAME target, the Github URL?


#7

Sure, it’s: goidsg.github.io


#8

Ok, I’ve quickly checked my Github Pages settings and found that Enforce HTTPS is disabled.

But this should only prevent HTTPS enforcement, not HTTPS all together?


#9

It appears there is no certificate at all configured at Github. Are you sure you configured www and the naked domain identically? Can you post a screenshot?

Also, ensure you did configure the domain and the certificate correctly at Github.


#10

So, these are the DNS records:


Type: CNAME (CNAME Flattening)
Name: goid.com.sg
Value: www.goid.com.sg

Type: CNAME
Name: www
Value: goidsg.github.io


I’ve followed the instructions here to configure Github Pages: https://help.github.com/articles/user-organization-and-project-pages/

I’ve made sure that the “CNAME” file was part of the Repo: https://github.com/goidsg/www.goid.com.sg/

I’m not too sure which screenshot you’re asking for, is the DNS config on Cloudflare? If so, I’ve attached a snippet below:


#11

It seems unusual that “www” would work but not the root domain. Could that possibly be due to caching at the CDN?


#12

It appears that Github does not have any certificate configured for your domain. Can you double check that? The fact that www does load is a bit strange though, could it be you have a page rule in place?


#13

try to put your flat cname not to www.goid.com.sg but to goidsg.github.io instead. maybe that helps.


#14

maybe the CNAME name gets used by CF for cert checking or whatever. one would need to test how they actually check it.


#15

Not too sure how to check the cert given by Github.

I’ve checked my Page Rules, there doesn’t seem to be anything that may cause this issue:


#16

This works! Now the root domain is redirecting to “www” properly.

Not too sure why it works, but hey, at least it works ¯_(ツ)_/¯


#17

well I checked crt.sh and for the goid.com.sg I only found cloudflare certs so it looks like github cant get a cert for the domain (fairly obvious because the IP goes to cloudflare and with strict ssl cloudflare will block any attempt for classic HTTP validation).

with this my theory that CF checks for the name in the CNAME record seems as good as proved.