Hi, My SSL universal certificate expired

soroushkamiyab98 · August 21, 2023, 11:03pm

Hi,

My SSL universal certificate expired . I tried to “disable/enable universal SSL”, delete and add the domain again but I don’t see any result.
de.update9.mahurant.ir

Cyb3r-Jak3 · August 21, 2023, 11:36pm

This domain isn’t using Cloudflare DNS Record. You need to renew the certificate on the host

soroushkamiyab98 · August 22, 2023, 7:10am

How do I do this??
Do you name server?
I change dns to 1.1.1.1!!

epic.network · August 22, 2023, 1:24pm

That is a resolving nameserver and has nothing to do with your domain. Even if you add your domain to Cloudflare, you need a certificate on your origin server. You need to fix that with your host first.

soroushkamiyab98 · August 22, 2023, 1:47pm

I created a new subdomain and got a certificate.
I have 10 subdomains, all of which have certificates
But this subdomain has a problem

epic.network · August 22, 2023, 1:52pm

I see Cloudflare nameservers on your domain.

domain:		mahurant.ir
ascii:		mahurant.ir
nserver:	blair.ns.cloudflare.com
nserver:	michael.ns.cloudflare.com

Your subdomain is too deep for universal SSL.

sandro · August 22, 2023, 1:53pm

The proxy certificate could still be fixed, but that won’t fix the server certificate of course

epic.network · August 22, 2023, 1:57pm

To emphasize the point @sandro is making, you need to have a valid certificate on your origin server. Fix that at your host before you worry about Cloudflare.

soroushkamiyab98 · August 22, 2023, 2:16pm

All my subdomains are deep

And two days they got certificate.

de.update10.mahurant.ir
Check it

epic.network · August 22, 2023, 2:20pm

That name is also too long for Universal SSL.

Not from Cloudflare. If you look at the IP of that name, it is not proxied. The certificate is on your origin server. You need to obtain the certificate for your new subdomain the same way you did for this one.

soroushkamiyab98 · August 22, 2023, 2:39pm

Do you mean that my certificate is from Hetzner?

soroushkamiyab98 · August 22, 2023, 3:04pm

But I don’t think
so, my deep subdomains got a certificate from Cloudflare with proxy ON.
I create subdomain with the proxy off. Is it not possible to activate it manually for me?
I think this is a bug

sandro · August 22, 2023, 3:13pm

The whole thing is not Cloudflare related in the first place. @Cyb3r-Jak3 already mentioned how to address this, contact your host.

epic.network · August 22, 2023, 3:24pm

Your certificate is from Let’s Encrypt. It is on your server at Hetzner. You are not using the Cloudflare proxy, ergo it is not possible for you to have a certificate from Cloudflare.

It is not a bug.

If you have an Advanced Certificate Manager subscription on your domain, it is possible, but again, you still need a certificate on your Hetzner server. You have one your other domain. If you don’t know how you obtained it, then you may want to

There is nothing more that Cloudflare or the Community in provide in this matter.

RyderCragie · August 22, 2023, 4:07pm

Cloudflare sits on top of your origin server if the DNS record is proxied. In this case, you will have a certificate from your origin server and also from Cloudflare. So you will have 2 SSL certificates, which is pretty much required for the Cloudflare proxy to work properly.

If you do not have the DNS record proxied, Cloudflare cannot get involved at all and you will only have a certificate from your origin server.

Note that Universal SSL won’t cover subdomains that are too deep. So if you would like it proxied, you’ll need to buy Advanced Certificate Manager and fix your origin server SSL.

If you don’t want it proxied/don’t want to use it with Cloudflare, disable the proxy altogether and fix your origin server SSL.

There are some insecure methods too, but they don’t need to be covered.

Hope this helps.

epic.network · August 22, 2023, 4:23pm

Other than this misnomer, you have provided a thorough summary. While I know that you understand it, I will elucidate for the benefit of the reader who does not.

The certificate on the origin server encrypts the traffic between the Cloudflare proxy and the origin server, while the edge certificate only encrypts traffic between the Cloudflare proxy and the visitor, so there is no double encryption happening.

sandro · August 22, 2023, 4:32pm

True, and for that reason - and for being a legacy setting - doesn’t even need to be discussed.

As mentioned, the whole thing is not a Cloudflare issue and @Cyb3r-Jak3 summarised already what the OP needs to do.

RyderCragie · August 22, 2023, 4:43pm

Fixed. What I meant was technically correct with context. It’s double layered because there are 2 certificates (2 being double what you’d have if it was just your origin server and no proxy).

So there’s double/2 certificates, but yes you’re right when you say no double encryption. I didn’t mean double in that sense. Maybe a misunderstanding of what I meant there?

I’ve edited my reply to avoid people assuming that’s what I meant, as it’s kind of implying that I guess depending on how you read it.

Maybe you’re right. But I wanted to at least give the option.

Correct.

I know, but I felt like getting involved as I’m allowed to.

sandro · August 22, 2023, 4:45pm

No offence, but I’d argue it’s not much of an option. It will only make the site insecure and drop proper encryption.

RyderCragie · August 22, 2023, 4:47pm

Fixed.