Edge Certificate and Trusted CA

I have a domain on CF that has a number of entries proxied. I’ve enabled the universal / edge certificate and now, a new app that connects to the domain is throwing errors due to the TLS / SSL handshake not completing. Researching this has lead me to the (possibly wrong) conclusion that the R3 edge certificate is not trusted by all browsers, particularly by Windows clients. This conclusion is based on the host server being unable to browse the site due to an error message that I receive when I try to browse the site on the server:

The security certificate presented by this website was not issued by a trusted certificate authority.

Would upgrading the plan to include the ‘Advanced Certificate Manager’ (ACM) help? This page says the ACM allows you to choose the CA for the certificates, presumably this means that the certificate will no longer be issued by R3 and be rejected?

Is this the best option? I really want to use the DNS proxy but it seems this relies on an edge certificate and the cost of upgrading to the business plan (to use my own certificates) doesn’t seem to be justifiable for this single feature. Am I overlooking something?

Let’s Encrypt recently changed one of its certificates and that actually stopped quite a few services. Are you sure these Windows setups are up-to-date and have the most recent certificates installed? Maybe run Windows Update.

This seems like a plausible solution. When I spoke to our hosting provider, the issue is actually with Fortinet’s firewall. Fortinet acknowledged the issue and is working on a fix

Back to the original question, I’m weary of relying on Let’s Encrypt, will switching to the Advanced Certificate Manager help reduce reliance on LE? The documentation isn’t very clear on the extent of the functionality available or how I’d request Digicert as the CA instead of Lets Encrypt.

With ACM you can choose the CA, which can be LE or Digicert, but that’s already mentioned at the page you quoted earlier

However, I am not quite sure it should be really necessary to go for a paid certificate. I’d really check whether the Windows machines have the proper root certificates and update them if that is not the case. The same thing could happen with Digicert.

1 Like

It certainly could happen with Digicert but I suspect it’s far less likely. In any event, I’ll leave things as they are for now and monitor it, thank you for the advice and answer.

Supposedly Cloudflare API v4 Documentation has an undocumented certificate_authority field, which you could try to set to digicert.

Essentially calling that URL with the right parameters and passing

{"certificate_authority": "digicert"}

As mentioned it’s not documented, so I can’t give a guarantee that this will work at all but you might want to give it a try nonetheless.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.