HSTS error but SSL and HSTS are enabled

Security
#1

Hello, i have searched for solutions before posting my problem here (nothing helped)

I accidentally deleted all files on my domain, after that my website is inaccessible (i removed it from panel and added again)
Also changed SSL, re-enabled HSTS and re-issued certificates

image
image761×592 24.9 KB

HSTS error on new domain with new SSL
#2

Also image from browser:
image

#3

That error indicates that you are using a Cloudflare Origin certificate on a hostname which is :grey: on the DNS dashboard. Set it to :orange:, and make sure your SSL mode is set to Full (Strict) on the SSL/TLS tab on the dashboard.

1 Like
#4

I cannot find any :grey: in DNS tab

#7

I’m not seeing a certificate error for your domain, but www returns a 503 error, so the site is not working as expected.

The ftp, mail, pop and smtp names need to be :grey: or they will not work. Also, you have two MX records pointing at the same origin, so you should delete the one with priority 20.

#8

How i can change status of record?

#9

I don’t know how to do that and I’m not seeing any :grey: here

#10

Please help :sob:

#11

Go here: https://dash.cloudflare.com/?to=/:account/:zone/dns

#12

I already, i don’t see any :grey: on that page, also i can’t change status of record

#13

I don’t know how to do that, that’s my problem

#14

What i actually see, is:

IMG_20210328_155758
IMG_20210328_1557581080×1190 262 KB

#15

Then I believe the DNS resolver used by your ISP has outdated information.

Change it to something like 1.1.1.1 or 8.8.8.8.

#16

Hello,

I’ve added new domain with hosting panel, also added it on cloudflare, created new ssl and applied it to domain
After 2 days:

image
image753×574 24.4 KB

#17

Website was working normally hour ago
image

#18

image
image853×364 16.3 KB

#19

Looks good to me.

You may have a locally cached DNS entry, or have gone :grey: briefly during your testing.

FYI: You need to set your HSTS max-age to 1 year to add to the HSTS preload list.
And the DNS entries for ftp, pop, mail and smtp need to have their proxy status set to DNS Only :grey: or those protocols will not work.

2 Likes
#20

Ok, will try that, thanks

#21

Oh, i’ve checked website from mobile, i have cached DNS because website works normally on other devices, i’m right?

#22

For me it seems something is wrong with your NameServer propagation:

Somewhere its:

Somewhere:

and somewhere:

Thats why everyone here and every test is inconsistent as everyone could technically use different NameServer as they are not fully propagated or not correct propagated

Note:

for me the same error appears as for me I do get the russian NameServer and therefore its showing the CloudFlare Origin Cert which is not valid publicly.

2 Likes