Domain fails with https, works with http

Dear All,

I’m new to Cloudflare: I just moved my domain here and moved my Wordpress blogs to a VPS. On the VPS side I use Nginx Proxymanager (NPM) to serve the various services.

What works so far:

  1. All subdomains work correctly, i.e. diy.viktak.com
  2. The main domain (i.e. viktak.com) works when entered as http://viktak.com

What doesn’t work:

  1. The main domain (viktak.com) when entered as https://viktak.com.

I am getting Error code 526 - Invalid SSL certificate

My DNS settings are as follows (in Cloudflare):

The SSL mode is Full (strict).

I’m sure it’s something simple that escapes me…

Any pointers would be much appreciated!

vitya

They are all returning 526 error when I visit with a browser or curl; clear your browser cache or use incognito to check.

What I see is that the naked domain and any subdomain are being redirected to another domain when requested using http://.

So it seems that you need to fix your SSL certificate at the origin to avoid the 526 error. Only after this is fixed will the redirect work for requests with https://.

1 Like

Thanks for the quick reply!

Hmmm, it is strange…
This is what I can see:

  1. Browsing to diy.viktak.com with Firefox and Brave (both incognito) and from different computers works correctly, I can even edit pages on my blog, so it definitely doesn’t come from cache.
  2. curl -o - diy.viktak.com returns this:
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>

I just tried browsing to the blog from a different country, and it also works…

Made a mistake with curl earlier…

curl -o - http://diy.viktak.com produces:

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>

but curl -o - https://diy.viktak.com produces the full page correctly:

<!DOCTYPE html>
<html lang="en">
<head>
<meta name="viewport" content="width=device-width, user-scalable=yes, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="UTF-8">
<link rel="profile" href="https://gmpg.org/xfn/11">
<link rel="pingback" href="https://diy.viktak.com/xmlrpc.php">
<title>Viktor&#8217;s DIY Blog &#8211; beep&#8230; beep&#8230; blink&#8230; blink&#8230;</title>
.
.

and so on....

When you said all subdomains work correctly, you gave diy. as an example. I hadn’t even tried it, instead I tried sub. and any. as subdomains, since you have a CNAME for *, both returning 526. Have you installed a certificate that specifically covers diy. but not other subdomains?

~$ curl -sIo - https://any.viktak.com
HTTP/2 526
date: Thu, 29 Jun 2023 15:11:15 GMT

Yeah, well, maybe I wasn’t clear on this, sorry about that.
Indeed I have a * CNAME.

At the beginning, I did have a certificate installed for diy.viktak.com, but I soon replaced it with a *.viktak.com one. For the past few hours this is the only one I have installed in NPM:

curl -sIo - https://diy.viktak.com works as well:

curl -sIo - https://diy.viktak.com
HTTP/2 200
date: Thu, 29 Jun 2023 15:21:38 GMT

This seems to be the one in place now, but strangely enough, some subdomains are returning 526, while .diy is not:

*  subjectAltName: host "diy.viktak.com" matched cert's "*.viktak.com"
HTTP/2 404

*  subjectAltName: host "any.viktak.com" matched cert's "*.viktak.com"
HTTP/2 526

Hopefully other members of this community with SSL expertise will help you figure it out.

Thank you for your efforts though!!

1 Like

Well, I tried to switch the encryption mode to Full (instead of Full-Strict) and all is fine and dandy:

This is interesting to me, as the certificate I use is NOT a self signed one. Maybe it’s a quirk on cloudflare side… Maybe it just needs some time… Anyway, I’ll leave it like this for the time being as it seems to be working, but I would appreciate some exaplanation form someone knowledgeable on this issue as I would like to understand it…

1 Like

Actually, now that I left it like that overnight, it is still not working…

So if anyone has any better ideas, please don’t hold back!!! :slight_smile:

Afraid that is a rather bad switch, as you dropped all encryption. Switch back to Full Strict and fix your server certificate.

1 Like

You are 100% correct. I already changed it back to Full (Strict).
I also figured out how to do it (mostly). The only thing left is to get Nginx Proxymanager to display the right thing when someone is looking for a subdomain that doesn’t exist.
Once I figure it all out, I will document everything and update it here as well.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.