How to regenerate my edge certificates

Hello,

Currently some of my sites have Let’s Encrypt certificates, but as the DST Root CA X3 expired in September 2021, some of my users have a problem. Indeed a lot of users can’t validate correctly these outdated SSL certificates with their old devices. It is not an option for me to ask them individually to fix the problem on their side, it is absolutely necessary to fix it on my side (server side).

If I understand correctly there is a 25% chance to get the Let’s Encrypt certificate: https://developers.cloudflare.com/ssl/ssl-tls/certificate-authorities . Obviously I have no idea of the real percentage of “bad luck” to get this Let’s Encrypt certificate, but as Cloudflare proposes 4 different ones, my calculation is therefore trivial.

I would actually like to have all but the Let’s Encrypt certificate. And this without having to pay the “Advanced Certificate Manager” which costs 10$ per month. Especially since I have many sites in this situation. And also because I don’t think it’s fair to be forced to pay if you have just a bit of bad luck to receive the bad certificates (please don’t be offended).

I tried the option that consists in disabling the Universal SSL for about ten minutes and reactivating it, unfortunately cloudflare still keep delivering Let’s Encrypt certificates.

How can I solve my problem? I have already contacted Cloudflare’s support and they tell me that I should contact the community for help.

I know that the first possible workaround is obviously to deproxify my servers and use another CA of my choice, but I would like to be able to take advantage of Cloudflare’s main function (in my opinion) which is proxyfing.

Thank you

Hi there,

You can shoot us an email or open a ticket through the dashboard. We’ll then switch your certificate over to our other CA which does not have this issue.

Hope this helps

Edit: Just saw that you have a ticket open already. Can you post the ticket number and I’ll take look

2 Likes

Thank you for this quick answer.

I can’t remember having ever opened a ticket using the Cloudflare dashboard, I just created a new one: 2271415.

Edit: I just received the answer of a bot that said it was resolved. But I don’t think it is.

Thank you

Hi, did you get a resolve for this? I’m having exactly the same issue and need the edge certificate to update to the CloudFlare certificate, not sure how to go about this? Does it have to be completed by Cloudflare admin or do we have the ability to do it via our control panel?

No I think we need the help of the cloudflare staff for this. Or else you can pay 10$ per month to be able to change it through the Advanced Certificate Manager.

1 Like

Thanks. Annoyingly though, I can’t open up dialogue with Cloudflare, as I’m on a FREE account, so not sure how that works!!

Out of interest are you using Plesk on your web servers?

Mike

| lapa
October 3 |

  • | - |

No I think we need the help of the cloudflare staff for this. Or else you can pay 10$ per month to be able to change it through the Advanced Certificate Manager.

Nope, I use a custom service. I’m sorry, I don’t know Plesk.

Btw: Up on my problem :frowning:

Can you look at this ticket as well???

2271463 - SSL Certificate

Hey, up :slightly_smiling_face: @MoreHelp

My ticket number id: 2271463

I’ll take a look at the mentioned ticket and will respond to them in case they haven’t received a reply yet.


On September 30, 2021, the trust anchor used by Lets Encrypt expired along with the intermediate certificate authorities signed by this anchor.

When those root and intermediate certificates expired, no change or disruption in the TLS termination at Cloudflare’s edge is expected as those anchors are no longer in use.

The reason why some older clients may have seen an expiration warning is, because they didn’t had the updated trust anchor installed on their systems and/or didn’t switch to the new trust anchor dynamically. Therefore, they strictly adhered to the outdated trust anchor and showed an expiration warning.

Even though us switching zones to our DigiCert CA fixed this issue, we do strongly recommend to regularly update the locally installed certificate authorities in this case to prevent similar issues in the future. Most modern operating systems do this automatically.

3 Likes

Hi Tom,

Yes, I’ve seen this, but it doesn’t really answer the question. If using the Cloudflare Edge Certificate resolves the issue, then that is going to be more effective than telling ‘joe public’ to update their OS….

As asked, is there a way we can manually update the Edge Cert, so it automatically uses the CF Service?

Cheers,

Mike

Unfortunately not. That’s why

Hi Tom,

I would, but I can’t actually get on the ‘community’ site, I get white screen of death.

Also, you can submit a ticket on mobile (iOS 14.8 iPhone 8+), because the drop down to ‘select your domain’ doesn’t work. Actually, pretty much nothing works on the site via mobile :thinking:

The domains I need changing are:

rawtrails.co.uk
jabutest.co.uk

Thanks,

Mike

TKlein Cloudflare Team
October 4

Unfortunately not. That’s why

Yay! Thank you very much!

I know that this problem only happens to my users who have outdated devices, but I can’t do anything about it and I can’t convince them individually to invest or upgrade their system. Especially since it still affects a significant number of people.

Thanks again!

Edit: Have you thought to get rid of Let’s Encrypt and take ZeroSSL instead? :slight_smile:

Really sorry to hijack this thread but could I get mine converted too please?
#2273717

Thanks!

I’ll kick this one into the escalation queue as well. Make sure your ticket has a good reason for the request. They’re not regenerating just because the old one doesn’t look good with someone’s ugly Christmas sweater.

Complete change in ticket! See also Expired LetsEncrypt Root Certificate - this can be changed via API:

https://api.cloudflare.com/#universal-ssl-settings-for-a-zone-edit-universal-ssl-settings

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/[zone_id]/ssl/universal/settings" \
     -H "X-Auth-Email: [email]" \
     -H "X-Auth-Key: Global API Key" \
     -H "Content-Type: application/json" \
     --data '{"certificate_authority":"digicert"}'
4 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.