Sorry for not providing more info in the original post, but I kept getting this error when submitting my issue: “Sorry, new users can only put 4 links in a post.” So I ended up making dozens of attempts at posting and this is the one that did it.
Here is a more detailed explanation:
We have a web app hosted on Heroku, assigned as proxied CNAMEs on our cloudflare DNS Zones, that is randomly giving us “SSL Certificate Errors” on HTTP calls for the past 6 days, or 502Bad Gateway errors:
We have contacted heroku support, here is their response:
“I have thoroughly reviewed this and found no issues on the platform. The certificate appears to be in order. Could you please check with the domain provider to see if there are any ongoing issues?”
Given this answer, and the fact that “502Bad Gateway” specifically signed as “cloudflare” is documented online to be an internal error from cloudflare proxies, we contacted Cloudflare, marking our support ticket as a “registrar issue”, here is their response:
“It appears that you may have accidentally picked the wrong category for this issue since you chose a Billing/Registrar case, but your account is a Free account. While we only offer direct support to customers who have a Pro, Business, or Enterprise account, we do offer resources for everyone.”
Since it is pretty clear that this issue is no longer actionable on our side, we are at a loss for solutions.
One of our website (wordpress) starts getting the same issue (it used to work fine). We tried temporary paused for that domain and everything worked as expected but issue returned when stop pausing. All of domain’s CNAMEs are proxied and SSL/TLSs selected as Full Strict. In addition, we tried on Firefox and get the message as in the screenshot while Edge and Chrome loaded super slow and then the issue occured.
Thank you for your help! Here is all the info I could gather.
I tried pausing Cloudflare and could not reproduce any of the errors (“SSL Certificate error” or “Bad Gateway”) when Cloudflare was paused. Doesn’t mean it’s fixed, as the error appears very randomly.
I could not give you a definite answer on whether our app is configured to listen on both 80 and 443 on the origin host, but all I can tell you is that as user @muonnoi seems to claim as well, we haven’t changed anything related to listening ports or anything major related to HTTP access in the past 5 years, and the error only started to appear in the last 2 weeks.
Yes, the CNAME rules are proxied, they have the little orange cloud. This is what I meant by “proxied CNAMEs”