I have been having a lot of trouble setting up my Cloudflare DNS and SSL settings. I finally got it to a point where everything works EXCEPT… when I am accessing my email through any client I get this SSL error:
I have Full strict turned on and have loaded the cert to my host (SiteGround).
Can anyone lend a hand?
Your email clients are not happy because you are presenting them with a certificate issued by the Cloudflare Origin CA which is only valid for connections between the Cloudflare proxy and your origin server. You need to configure your MTA to use a certificate issued by a recognized public certificate authority. If you can configure an ACME client to manage a Let’s Encrypt certificate for you, that is a terrific low cost option.
This is the SSL list from my origin server
Does your hosting provider have any support articles that can assist you in configuring your MTA to use one of your Let’s encrypt cerificates?
No and I contacted their support directly and they say it is a Cloudflare problem. (Standard pass the buck).
Do I need to add a CAA DNS record for this to work? and if so what do I add as the settings (the CAA help files are a tad confusing.
CAA records exist to restrict what certificate authorities may issue certificates for your domain. I don’t see any for either of the two domains in your screenshot, so you shouldn’t be encountering any issues related to CAA records.
If you are using Siteground, this support article, while a little light on detail, may help get you find the right setting.
Thanks, sadly that is of no help as I am already using those settings
I forgot to say thanks for explaining what the CAA is for, it was very appreciated
I did find the solutionI did find the solution:
For Siteground there is no wildcard SSL for a domain whose DNS is not hosted by them. So, in order to get the SSL issues to go away you must:
- Create a subdomain of mail
- Add a Let’s Encrypt SSL for this new subdomain
- Set Cloudflare SSL to Full (Haven’t tested Strict yet)
- Make sure the mail DNS record is not proxied (gray cloud)
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.