Everything works under "FULL" but not "Strict"

I had everything set up with my domain set to https://thebiermans.net. Then last night I decided to move it to https://www.thebiermans.net.

  • It seems I have the forwarding, etc. right.
  • I set my origin certificates to *.thebiermans.net, thebiermans.net, www.thebiermans.net (3 hosts) (I wasn’t sure “www” was necessary but leaving it off didn’t seem to help either.)
  • I also uploaded the Cloudflare Origin CA root certificates to my origin web server, firebase.
  • I put both the origin certs and the Cloudflare certs in home base directory in firebase where I am hosting the site.

Everything works great if I set my SSL mode to “Full” but not if I set them to “Full (Strict)”. Am I just not being patient enough? Does it take longer than I thought to propagate?

Which error do you get? Are you sure the origin certificates have been properly loaded by your webserver?

Should you feel comfortable sharing your IP address here, please do so.

Error 526 Invalid SSL certificate

Your origin server does not appear to have a certificate installed for your zone (or it is not configured correctly).

curl -Ikv https://www.thebiermans.net --resolve www.thebiermans.net:443:your.origin.ip.here

shows a firebase cert.

That suggests an invalid certificate. Double check that.

How do I confirm or fix the configuration? As I understand it, the cert problem is between Cloudflare checking with firebase. I don’t see any way to configure that other than putting it in the root directory.

I named the certs I downloaded from Cloudflare,

  • thebiermans.net.key
  • thebiermans.net.pem

Should they be

  • www.thebiermans.net.key
  • www.thebiermans.net.pem
    ?

If you dont share the IP address it is impossible to say anything else, but - as mentioned originally - it would seem as if your server does not have a valid certificate. You need to fix that first.

The IP is ....

Maybe the cert on Firebase hasn’t been generated or updated yet. Perhaps I have to be patient. There’s no settings or anything I can change there, unfortunately.

Thats not your IP, thats Cloudflare’s.

Right, sorry. The A record is ...

All right, you can remove the posting, respectively edit out the address at this point.

Yes, the certificate is invalid. It is issued to Google and for firebaseapp.com and not your domain.

I cant tell which server software you are using there, but you need to make sure the certificate has been properly loaded.

I think I found the answer. I needed to update some TXT records they use to prove you own the domain and then in <=24 hours the cert will be regenerated. So I guess I have to sit tight. At least it looks like the resolution is in process.

Thanks!

This topic was automatically closed after 30 days. New replies are no longer allowed.