DNS Proxy serves expiring SSL cert for subdomain

Answer these questions to help the Community help you with Security questions.

What is the domain name?

[type or paste code here](http://www.paradiseretreats.com)

Have you searched for an answer?

Describe the issue you are having:
When DNS proxy is applied to www subdomain, an expiring SSL certificate (4 days left) is provided by Cloudflare. The Universal SSL certificate was renewed today and is not expiring. The Let’s Encrypt SSL certificate on the server (covers www, stage and naked domain) was renewed today and is not expiring. When DNS proxy is turned off, the correct certificate on the server is used. This certificate has 89 days left. The naked domain and stage subdomain are showing 89 days left on the certificate when DNS proxy is enabled for them. Why is Cloudflare serving the wrong certificate for this specific sub domain(www)? Certificate tests preformed with SSL Labs and Nagios.

SSL Labs www [Preformatted text](https://www.ssllabs.com/ssltest/analyze.html?d=www.paradiseretreats.com&s=

SSL Labs naked domain [Preformatted text](https://www.ssllabs.com/ssltest/analyze.html?d=paradiseretreats.com&s=

What steps have you taken to resolve the issue?

  1. Force renewed Let’s Encrypt certificate on the server
  2. Disabled and reenabled Universal SSL in Cloudflare to issue new certificate
  3. Tested with and without DNS proxy. Confirmed that only a single subdomain is affected.

Was the site working with SSL prior to adding it to Cloudflare?

Have you tried from another browser and/or incognito mode?

Works fine for me now. Could you confirm? :thinking:

Could be some temporary glitch since at your origin you’ve used LE and the Cloudflare Universal SSL also using LE.

May I ask if it is like www.sub.example.com? :thinking:

If so, it’s a deep-level sub-domain and for www sub you’d have to use Advanced Certificate Manager to cover 4th level since Universal SSL doesn’t cover it:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.