Edge certificate question

Hi,

I’ve added multiple sites in Cloudflare. When I check them all of them have a Cloudflare SSL certificate except one. This one is still using the Lets Encrypt certificate. How can I change this one to also use the Cloudflare certificate authority?

Cheers,
Jaap

So, without knowing more, there could be a few things:

  • record must have CF enabled, not DNS only
  • CF edge certs are wildcards, which only cover a single level of subdomain, so it would cover sub.domain.tld, but not sub.sub.domain.tld. You can change this in the certificate manager, which is an extra subscription

I hope this helps

Cloudflare use multiple Certificate Authorities. Is the LE cert causing some issue, or is there a reason you need it changed?

@mike8 & @michael thanks for helping :slight_smile:

  • Records have CF enabled.
  • I don’t have an extra subscription. Also not for the sites where CF is the authority.
  • Since the issues with LE last week it’s not possible to open this specific webshop on older devices. Opening sites where LE is not the authority is no issue.

I’ve compared settings and this site has the same settings as the other sites in CF. The only difference is that it has different hosting. Could that be the issue? All the working sites are hosted on Cloudways. They also use LE but I don’t see it as the authority in CF.

If you are experiencing an issue, you can open a support ticket, and request the CA be changed to DigiCert. Drop the case number on this thread when you have one.

The certificate on the origin doesn’t matter too much as it’s only ever seen in the connection between the origin and Cloudflare. End users will see the certificate from Cloudflare.

You do need the origin cert to be a valid, trusted certificate (commercial or CF Origin Cert) if CF is set to Full (strict), but it could be self-signed if it’s only set to Full.

Also, make sure you’re not using a sub domain of a sub domain.

@michael will open a ticket when it’s possible again. Seems to be an issue opening a ticket at this moment. Not able to deselect ‘My issue is not domain related’ and select a domain.

Do a hard refresh (Shift+F5) that seems to fix it. It’s a weird issue but when it works no one can reproduce it again

Hard refresh doesn’t solve the issue. Still not able to log a ticket. Even tried in a different browser with no CF cookies/history. Same issue. Very strange, last week no issues logging a ticket.

You can email [email protected] from the address on your account.

In which case you will have a broken security setup.

Did that but received a reply that email support is not available for customers on my plan type and that I need to try the community. Haha. this is getting silly…

That’s correct, but when you’ve tried on the community and we can’t help, we advise what @michael said earlier:

We can then get it escalated and re-opened.

If they still handle my email it will be ok. Through website it’s not possible to log a ticket anymore, see Loom | Free Screen & Video Recording Software

When you got the autoreply about plan type, it will have a ticket/case ID. That’s what we need to be able to escalate it.

@domjh @michael the ticketid is #2274089

While you are waiting on the ticket to be addressed, you can try the API to switch CAs:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/[zone_id]/ssl/universal/settings" \
     -H "X-Auth-Email: [email]" \
     -H "X-Auth-Key: Global API Key" \
     -H "Content-Type: application/json" \
     --data '{"certificate_authority":"digicert"}'
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.