Dangling backup certificates of my zone

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
No.

Please share your search results url:

When you tested your domain, what were the results?
Two more backup certificates issued and showed on the cloudflare dashboard and can’t be removed even when disabling universal ssl.

Describe the issue you are having:

  1. My zone is lihj.me with zone id c6d0a95b0b51933ad83300d757e06570.
  2. Two backup certificates, which were the problem, were issued (not sure when, one google and another let’s encrypt). Plus two normal certificates deployed currently (a main and a backup certificates). In summary, there are four universal certificates now.
  3. When I disabled the universal ssl option on the web dashboard UI, the two normal certificates were deleted as expected. The two backup certificates were still there and could not removed.

What error message or number are you receiving?
None.

What steps have you taken to resolve the issue?

  1. Disable the universal ssl option. The two normal certificates were deleted. The two problematic backup certificates were still there and not removed.
  2. Wait for 30 minutes. Enable the universal ssl option.
  3. A main and a backup certificates would be issued and the two problematic certificates kept shown on the certificate list.

Was the site working with SSL prior to adding it to Cloudflare?
Yes.

What are the steps to reproduce the error:

  1. Disable the universal ssl option. The two normal certificates were deleted. The two problematic backup certificates were still there and not removed.
  2. Wait for 30 minutes. Enable the universal ssl option.
  3. A main and a backup certificates would be issued and the two problematic certificates kept shown on the certificate list.

Have you tried from another browser and/or incognito mode?
Yes.

Please attach a screenshot of the error:
I have turned off the universal ssl setting, the two problematic certificates kept shown on the certificate list:

Mind if I ask?

  1. What exactly are you trying to accomplish?

  2. What is the actual problem with the certificates?

  3. Why exactly do you want them thrown away?

1 Like

Hi, thanks for your reply,

I want to remove these two backup certificates.
I think these two certificates are dangling and not actually managed by the dashboard, as they should be removed when I disable the universal ssl option.
When I activated the universal ssl option again, two more certificates were issued and appeared on the dashboard, which were actually “managed” by the dashboard.
I don’t know whether there should be some side effects.

Thx.

Well, the backup certificates aren’t supposed to be used, if that is what you consider “dangling”.

They will be there, but won’t ever be used, unless there is a reason to use them, for example due to a certificate revocation and/or key compromise.

So somehow, they are (hopefully!) “dangling” forever, in a perfect situation.

If you mean that there are no ways for you to maintain them, or switch between them, that’s correct.

It will be handled by Cloudflare, in the event that it becomes necessary, to do anything with them.

That one is a bit ambiguous actually.

According to the documentation, you cannot opt out of the backup certificate, except on the Enterprise plan:

Backup certificates · Cloudflare SSL/TLS docs

That sounds like it works perfectly fine.

For each normal certificate issued, there will similarly be a backup certificate, that’s the whole point of the system with backup certificates.

Again, the documentation is a bit ambiguous as mentioned above.

But you can always try to disable Universal SSL, and leave it disabled.

You will NOT be able to use Proxied (:orange:) records by doing so, - however, there will be a chance (but no guarantees) that the backup certificates will vanish on or around February 9, 2024, assuming that you leave Universal SSL disabled until then.

If you ever enable Universal SSL after this time though, a new backup certificate will be generated again, and will again be “dangling” until the time they become necessary to use, if they ever will.

It is the purpose of the backup certificates, to be like that.

Por que do you believe this to be true?

Sauce?

:+1:

Hi, thanks for your reply.

In fact, in normal condition, there should be one universal cert and one backup cert on the dashboard, like this:

Also, in normal condition, when I click “Disable universal SSL” button.

Both the universal cert and the backup cert shoule be remove from the dashboard.

Well, for my zone with the issue I met, there are normal certs (one universal cert and one backup cert) and problematic certs (two backup certs). In summary, there are 4 certificates issued for my zone.

The normal ones could be issued and removed normally when I activated or disabled the “Disable universal SSL” option.

The problematic ones could not be removed when I disabled the “Disable universal SSL” option.

The issue was that normal backup certs would be removed when I “Disable Universal SSL” even it didn’t expire.
The certificate in question will not be automatically deleted, which is why I call them “dangling certs”.

I just want to remove the two certificates in issue and keep the normal universal cert and backup cert. (Not remove all backup certs or opt out the issuance of backup cert, just the certificates in question). Thx.

Hi, you could just try the option.
In normal situation, when you click " Disable Universal SSL" button, all your universal and backup certificates would be removed. This is why I name then “not managed” and “dangling” as they just can’t be removed.

  1. Can you provide just one reference, that is backing up your claim for this to be a “fact”, for “normal condition”?
  1. Can you provide just one reference, that is backing up your claim for this to be “normal condition”?

  2. Can you provide just one reference, that is backing up your fact that the backup certificate should be removed from the Dashboard?

Or said in other words, for all of the above:

The .ME zone (and it’s subdomains) currently have 18 (eighteen) certificates, where typical patterns indicate, that apparently 17 (seventeen) of them are issued by Cloudflare.

The .EU.ORG zone (and it’s subdomains) currently have 12 (twelve) certificates, where typical patterns indicate, that apparently 11 (eleven) of them are issued by Cloudflare.

Continuously playing around with disabling and re-enabling Universal SSL will make the situation even worse than that, until the Certificate Authorities (CA’s) at some time start to rate limit your domain(s) for (re-)issuing too many certificates in a short period of time.

Removing a certificate (whether it would be from the Dashboard, or from you own server) isn’t the same as making it invalid.

Invalidating them would in addition require that it either expires (which it only will at the time of it’s expiration), or that it is manually revoked.

TL;DR:

I would suggest you to leave them alone, and find something more useful to do, rather than worrying about nothing.

1 Like

Thanks for looking into this issue.

I see what you mean. Based on your investigation, removing certificates from the dashboard when “Disabling Universal SSL” doesn’t mean they were revoked (I just can’t see them), right?
I’ll wait until they expire, thanks again.


By the way, just for another eu.org domain, disabling universal SSL would remove all certificates, definitely.

You’re welcome, happy to do whatever I can to help / provide clarity / et cetera. :slight_smile:

You understood this one well. :slight_smile:

I was just digging around, and I found this one:

So, the older certificates are completely gone from Cloudflare, once you’ve disabled Universal SSL.

Personally, I would just have marked them as inactive, but still show them on the Dashboard until they have expired. And in the event like above, where an user re-enable Universal SSL, I would just have re-used the already existing certificates, or, in other words, re-activating them - but without creating new certificates.

That’s my way though. I wouldn’t constantly be bombarding the Certificate Authorities (CA’s) with requests, like we can see above, unless there would be a valid reason for doing so.

:+1:

Maybe something is stuck within your zone, but that being said, I would still not worry, as it will likely auto-correct itself at some point.

I would only be worried if something was seriously broken, such as for example that you couldn’t access your website, and that it was confirmed to be related to a broken certificate somehow. But other than that, I wouldn’t touch them at all.

I do understand the point very well, when something looks to be one way for one thing, you’ll kind of expect it to be like that for everything.

Mostly out of personal curiosity though, but do you mind sharing that specific .eu.org domain where all certificates vanished?

Hi, it is lihj.eu.org.

Also, I placed many domains at cloudflare. Only three of them met this issue.

All other domains would have completely new certificates when I re-enable Universal SSL and no certificate shown on dashboard when I disable Universal SSL.

This issue occurred after the BIG Incident of the whole cloudflare (in early November). I think they may be related.

There appears to be (at least) 7 active certificates there.

  1. From 2023-01-16 to 2024-01-15, issued by Cloudflare (via DigiCert).
  2. From 2023-09-21 to 2023-12-20, issued by Let’s Encrypt (E1).
  3. From 2023-11-01 to 2024-01-30, issued by Google Trust Services.
  4. From 2023-11-02 to 2024-01-31, issued by Let’s Encrypt (E1).
  5. From 2023-11-02 to 2024-10-31, issued by Cloudflare (via DigiCert).
  6. From 2023-11-02 to 2024-01-31, issued by Let’s Encrypt (E1).
  7. From 2023-12-13 to 2024-12-12, issued by Cloudflare (via DigiCert).

None of these 7 certificates seems to have been revoked, which means that they would technically be working for your website, if someone managed to find the certificate(s) and private key(s) for them.

I’ve been digging through what I have on Cloudflare, and also what I have access to on Cloudflare.

Similarly to above, such as number #3, #4, #5 and #6, where certificates were issued from three (3) different Certificate Authorities at a time, Cloudflare also issued three certificates like that back in April 2023 for at least one of my zones.

It issued Cloudflare (via DigiCert), Let’s Encrypt (E1) and Google Trust Services certificates at the exact same day there.

That specific zone have had it’s Let’s Encrypt and Google Trust Services certificates renewed several time since then, and lately, here in the beginning of December too. The newly renewed/re-issued certificates from the beginning of December, are the only two certificates I see in the Dashboard, even though the Cloudflare (via DigiCert) appears to be valid until April 2024.

The two old certificates from Let’s Encrypt and Google Trust Services that Cloudflare used prior to the December renewal/re-issue, will be expiring a couple of days inside 2024, but hasn’t been revoked and is completely gone from my view.

According to the elaboration above:

I would simply have left those two certificates, expiring in 2024, within the Dashboard until it had expired (or had been detected to have been revoked).

They could for example have been listed on the Dashboard, with a status like “Previously used certificate, will be removed automatically upon expiration and/or certificate revocation

Or something similar, however, leaving them like that could also make some people be concerned, or otherwise confused.

It will be very hard (if not even impossible) to find something that actually works for everyone at once. :frowning:

Although I cannot completely deny any relation, I still believe we would have seen a lot of other people being concerned and/or confused too, if these things were related to each other.

Hi, Thanks for your time. I completely understand this.
As I trust cloudflare, I will simply leave the backup certificates until they expire.

Best.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.