I have a split DNS. Internal domain is the same as external domain in CloudFlare.
I have a website that is hosted in the cloud.
I created my A records that are proxied in CloudFlare. And I created my local A records.
Externally to my local network the website works perfectly fine.
Internally the site is accessible but I get the error the my connection is not secure to the site. I think this is happening because my internal browser is pulling the certificate from the host IP and not from CloudFlare.
Does anyone know a way around this? Do I have to change the CloudFlare A record to DNS only?
Based on your description, changing the Cloudflare A record to DNS only would likely make the problem appear for external users as well. The best approach in my opinion would be to replace the current certificate on the server with one that is valid for the domain, signed by a reputable entity, and so on. Could be a free Let’s Encrypt certificate for example - that would be fine. This would also allow you to switch the Encryption mode (under SSL/TLS in the Cloudflare dashboard) to “Full (strict)”, which ensures that you really have end to end security for your external users. And the internal users of course benefit from the valid certificate.
Thank you for your reply.
I just stumbled upon a solution while I was replicating the issue in a test environment.
I pinged the domain name of my site and got a reply from a cloudflare IP.
I changed my local A record to the CloudFlare IP and now the site is accessible with no certificate errors.
That will work…for a while. From time to time, those IP addresses change. Maybe every couple of years.
I was afraid of that. Guess I will have to keep an eye on it. This will give me enough time to get my hosting provider to install the certificate on their servers.
Something interesting I noticed is that depending on what ISP I’m using sometimes I would get back an IPv4 address and sometimes I would get back an IPv6 address. Do you know why that is?
Cloudflare uses multiple IP addresses for a hostname. Typically two IPv4 and two IPv6. From home, most of my connections choose IPv6, but either will work.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.