Do ISPs cache SSL certificate?

Hey folks,

Ive got several domains in Cloudflare (love the service, thank you), but I have this weird error today. I moved a site yesterday into Cloudflare (dns is now resolving to Cloudflare) and gave it an SSL certificate.

However, when I browse to the site, its still showing me an invalid certificate issued by the host (not the Cloudflare one yet). No matter what browser I use, or if I use “private windows”, I get the old invalid SSL certificate.

Tried all the other stuff like clearing cache and:

chrome://net-internals → DNS → Clear Host cache
chrome://net-internals → Sockets → Flush socket pools

However, if I activate a VPN and browse the site, I see the site working fine with the new SSL cert.

If I deactivate the VPN, I instantly get the old error with the old SSL cert. Activate the VPN again and the SSL cert comes back.

So where is this been cached? The DNS is resolving to Cloudflare already so why wouldnt the SSL cert?

My PC is not caching it, so does that mean my ISP is caching it? If they do, how long until they update? Thanks in advance for any help.

Your ISP does not cache any SSL cert. But they cache DNS entries and NS entries on their NameServers. So if they still resolve to the old DNS entries you will be welcomed with an SSL error.

This also means that your setup isn’t working properly and you definitely should install a SSL cert on your origin server. Otherwise your setip (even with Cloudflare) is insecure!

Hi,

When I ping the domain, I get a Cloudflare IP back, so its not the DNS resolving to the old IP.

As mentioned, when using a VPN the SSL cert works, so its not a problem there either.

Please share your domain so we actually can assist you with debugging.

smartmixtechnologie.co.za

Just checked the domain. All is working fine from here. Can you please share a screenshot of the error you get. And from where you are calling the page.

I bet they’re caching DNS. If you change your router or PC’s DNS to use something like 1.1.1.1 or 9.9.9.9, you’ll probably get better results.

1 Like

When I ping the domain it resolves though.
image

Which is Cloudflare.

NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET

I currently use 8.8.8.8 for my DNS, and the domain resolves fine, its just the certificate that is the error. The domain resolves to a Cloudflare IP.

Can you double check in your browser’s Dev Tools (F12 in Chrome)? In the Network tab, you should be able to click on the homepage URL and see what it’s connecting to.

1 Like

Please run the command:

nslookup www.smartmixtechnologie.co.za
or
ping www.smartmixtechnologie.co.za

Since you use the www, please also take the www to check against. But you are pinging against smartmixtechnologie.co.za while your website is on www.smartmixtechnologie.co.za.

For me your site is working properly.

Also it would be interesting what SSL exactly gets offered to you. Can you provide us with that info?
Sometimes PCs store old entries or even routers. So please reboot both of them after flushing your local windows DNS cache like this:

ipconfig /flushdns

Then try again.

2 Likes

Thanks for that. Even though I have use 8.8.8.8 and 1.1.1.1 as my DNS servers in Windows 11, it still showed me that it was using the routers DNS :confused:

So I switched to my Linux desktop, and made sure /resolv.conf had the nameserver set to 8.8.8.8 and now it works. It was Windows and my router been weird.

Thanks everyone for the help

Are you saying you have no valid certificate on your server?

In your router you usualy can specify the DNS you want to use aswell. Please search in the internet how to do this. Then set it to:

  1. IPv4: 1.1.1.1
  2. IPv4: 1.0.0.1
  3. IPv6: 2606:4700:4700::1111
  4. IPv6: 2606:4700:4700::1001

And reboot it. After forcing your router to use Cloudflares DNS you will not encounter this anymore.

You are welcome.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.