Dreamhost stuck using Full and not Full (strict)?

Dreamhost allows you to obtain a Let’s Encrypt SSL cert directly from their custom admin panel, however whenever I use Full (strict) on Cloudflare, I get a Error 526 from Cloudflare saying there’s an invalid SSL certificate:

The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name.

According to one of your KB articles it also explains the error: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

Choose “Full” if you have a self-signed SSL certificate, and choose “Full (strict)” if you have a valid SSL certificate.

Only when I use Full rather than Full (strict) can I access the site. Since the site only works when it’s on Full and not Full (strict), then does that mean the Dreamhost’s Let’s Encrypt SSL cert is invalid?

All your information is correct. You should be able to use Full (Strict).

It’s been a while since I’ve used Dreamhost, but do they show a status for the certificate?

As a test, if you :grey: your DNS entry here and visit your site, you should see the valid Let’s Encrypt certificate with :lock:.

Okay I think it’s a case of Dreamhost taking its sweet time to generate the LE Cert. Originally, the only way I could access the site was if I had Cloudflare on with the Crypto setting at Full. This helped support the hypothesis that the LE Cert was not available.

After getting your reply I went and checked it and the cert was showing in their dashboard, key and all. I did a whole test again, Cloudflare proxy on and off and discovered when it was off this time, I was receiving the actual LE Cert, and when it was on, I was receiving the Cloudflare cert. I was even able to switch between Flexible, Full, and Full (strict). I had a feeling that it was a because it was never generated - but what made me confused is that I contacted their chat support, and maybe they didn’t even check, but they recommended that I specifically use Full and not Full (strict) without even a bat of an eye.

But then I was checking my email and saw that the notification for the cert generation didn’t come in until 7:54PM EDT so that further verified that the support agent was being lazy and Dreamhost just takes a long ■■■ time to generate the LE Cert.

Sorry that was long winded but just wanted to walk through the debugging steps. But thanks for validating my hypothesis because I thought I was going crazy.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.