How to stop Cloudflare from issuing SSL certificates on my behalf?

This question seems related to Revoke and prevent the issuing of certificates

Cloudflare’s Certificate Transparency Monitoring repeatedly reports me that Cloudflare is issuing SSL certificates on behalf of my domainnamex.tld (and all subdomains by wildcard). I don’t want Cloudflare to falsely represent itself as my domain in this way.

Things I checked:

  1. The Edge Certificates list is empty.
  2. Universal SSL is disabled.
  3. Connection between Cloudflare and Origin Servers are using Full (strict) ssl mode.
  4. Origin Servers use a valid certificate from a trusted CA.
  5. Always Use HTTPS is ON - this could be the reason Cloudflare needs a certificate for my domain if the https connection to the client is terminated on Cloudflare’s servers instead of the origin servers as might be the case if the domain is proxied/orange clouded.
  6. HSTS is ON for base domain - same as point 5.

Concluding: some settings could explain that Cloudflare needs a SSL cert to represent domainnamex.tld (but not *.domainnamex.tld like the Cloudflare issued cert shows!), but the UI fails to show me this certificate at all, it’s hidden from me! The UI also doesn’t give me any pointers to the features I need to sacrifice to be able to remove/revoke this certificate. The fact that certificate renewal only happens every 3 months makes it hard to debug/resolve quickly.

My goal for this private domain:

  1. let Cloudflare provide some DNS protection - preventing prying eyes from listing all DNS subdomain records.
  2. lower the attack vector - by redirecting traffic from the base domain (domainnamex.tld) to a similar named domainname (domainname.tld - to which I’m not related at all), pretending to the world that domainnamex.tld is just a empty domainname used for typo redirection.
  3. for myself: use unproxied subdomains to access my personal services directly (which each have their own valid certs, geo-fencing etc.)

Hi @user_5D9jCg,

If you have any proxied (:orange:) hostnames and your SSL/TLS mode is not “Off” then Cloudflare will need a certificate for your site to work.

That is exactly what happens, the Cloudflare cert encrypts the connection between the visitor and Cloudflare and the one on your server encrypts the connection between Cloudflare and your server.

It sounds like you just want to use Cloudflare for DNS and don’t want to enable any of the other features.

Cloudflare by default issues the free Universal certificate which covers the root domain and all first level subdomains, if you want to change that you need to purchase the Advanced Certificate Manager add-on.

One thing to double check in addition to @domjh’s tips - do you have AMP Real URL enabled?

https://dash.cloudflare.com/?to=/:account/:zone/speed/optimization

This requires Cloudflare to issue a SXG certificate for your domain:

2 Likes

Thanks for the awesome fast feedback guys!

@domjh: I have disabled proxied mode for the appropriate two DNS entries:

CNAME (flattened): domainnamex.tld > domainname.tld
CNAME: www > domainnamex.tld

I use Cloudflares “rules” to redirect traffic to domainname.tld, because that target webserver won’t serve it’s pages just by IP, it needs to match the requested domainname. This redirect works for http requests but (I guess obviously) not for https. Not a big issue if it cannot be helped but I’m keen to know if there’s a way to redirect https requests too (without making Cloudflare issue certs, haha I’m wanting the impossible I think).

@Simon: good addition, this was indeed enabled so I toggled it right away.

Let’s see in 3months if this has helped. Thanks again!

1 Like

If you have the records unproxied, all traffic will go straight to your server. No redirects you configure at Cloudflare will take effect.

1 Like

I’m pretty sure that’s it - so I am going to toggle the solution on that reply. Do let us know if it doesn’t help though.

2 Likes

Yeah I think I had it proxied in the first place, just to be able to do that redirect properly…if a request to domainnamex.tld makes all traffic go straight to the webserver of domainname.tld which is not configured to host domainnamex.tld, any visitor will see an error instead of silently being redirected to that domain.

I’ll do some more tweaking to see if redirecting http only (to prevent Cloudflare from issuing certs for https) is a workable option. Time will tell if disabling AMP Real URL did any good.

This is likely not a great idea, a user using https:// will get a failure, and with browsers moving toward defaulting to https (preferentially at first, but possibly completely unless the user manually types http:// at some point), you’d heading towards a broken configuration in the near future even if it works right now.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.