Creating SSL certificates

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
yes

Please share your search results url:

When you tested your domain, what were the results?
yesterday, there was an error message on all subdomains (ie dft.yfci.org) indicated expired certificate

Describe the issue you are having:
We notice that although the issue resolved this morning (we aren’t sure what we did that fixed it), some certificates on subdomains have expiration dates matching our cloudflare certificates and some have expiration dates and info matching our server site certificates. We don’t understand why or how to make sure we keep all site certificates up to date and managed in the same place.

What error message or number are you receiving?
no error currently; just inconsistent certificate info

What steps have you taken to resolve the issue?

  1. Ran the bncert command as instructed at https://docs.aws.amazon.com/en_us/lightsail/latest/userguide/amazon-lightsail-enabling-https-on-wordpress.html on our AWS server

Was the site working with SSL prior to adding it to Cloudflare?
yes

What are the steps to reproduce the error:

  1. NA

Have you tried from another browser and/or incognito mode?
yes, same across both

Please attach a screenshot of the error:

Only your apex domain seems to be proxied through Cloudflare. The www and dft subdomains are not proxied so requests go direct to your server.
https://cf.sjr.org.uk/tools/check?5d9eabf8c62b41eb874564a4b89c0620#dns

Cloudflare keeps the Universal SSL certificate renewed automatically, but you need to ensure you keep the origin server SSL certificate(s) renewed as well, whether you are using the proxy or not.

Ensure your Cloudflare SSL/TLS settings are set to “Full (strict)” here so Cloudflare also checks the apex domain origin certificate is valid…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

Ideally, you would have an origin certificate that covers yfci.org and *.yfci.org so everything is covered by one certificate.

If the 3-monthly renewal of certificates on your origin is a problem, you can use a Cloudflare origin certificate (for proxied connections only) instead which can be valid for up to 15 years.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.