I have added a website in the Pro account and changed Name-servers but no SSL

I changed nameservers and now I see traffic recorded on Cloud Flare’s dashboard but no SSL is displaying on the browsers, besides that my main domain is now re-directing to HTTPS and displaying “This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly.”
I am not seeing any HTTPS on my CNAMES like http://priscilla.nuecards.com/ but my main site is displaying this:
https://nuecards.com/ by typing HTTP I automatically get redirected to HTTPS.

Please help, I am afraid my clients won’t be able to access their sites.

Thank you

Alright, let’s tackle the issues one at a time, starting from the main one which will appear on all subdomains once you fix the second.

This is due to the fact that your server isn’t set-up to accept connections on port 443, where all HTTPS will go by default. To fix this you should set that up and have there a valid certificate (free ones, e.g. Let’s Encrypt, are just fine, as there no reason to pay for SSL anymore). This valid certificate can be also one of Cloudflare’s own Origin Certificates since, even if it will not actually be trusted by browsers, will be trusted by Cloudflare’s servers which should be the only one accessing directly the server.

There is another possibility, but IT IS NOT RECOMMENDED since it will actually not protect the traffic up to your origin server (more info: Why we recommend you don't use flexible!). For this solution go the the Crypto tab in your Cloudflare Dashboard and select “Flexible” in the dropdown at the top. This would be Full or Full (Strict) now.

They are not set-up to redirect to HTTPS. This can be done on your server (you would need to figure it out yourself since it varies wildly depending on server configuration and software stack) or by switch on “Always Use HTTPS” in the Crypto tab of your Cloudflare Dashboard. Be wary of possible Mixed Content issues from resources linked and/or embedded with http:// hardcoded. All URLs should be always as relative as possible to prevent such issues.

1 Like

Thank you Matteo, I do not have access to the server where these sites are hosted(3rd party), they recommended for me to use Cloud Flare.
http://nuecards.com was functioning although not secure. I do not have databases on my hosted sites so it is not a concern if SSL is not dedicated and furthermore I Can not install any certs on the servers (3rd party)
here is snapshot of DNS


and the Crypto:


If I initiate an action and clients lose connection, I will have an angry mob on a Friday night

Thank you for your help

I can confirm the solution would be to do both of the steps above.

Ignore the parts about your server since you can’t access it. With those you would have HTTPS and be the default. I could recommend enabling also Automatic HTTPS Rewrites, it could solve issues it may arise, but there may still be some so check some subdomains at random and confirm they work on HTTPS before the second step above.


This is what worries me because:

  1. it doesn’t matter if you have a database, nuclear launch codes or a simple image. Without SSL anyone, everywhere, extremely easily can inject whatever they want there, from substituting the image to adding a script to mine bitcoin to adding viruses. Whatever. HTTPS must be there for every single resource on the whole path the data takes to ensure data integrity, to leverage new technologies, to improve the speed (HTTP/2 works only on HTTPS, for example). Read more here: https://doesmysiteneedhttps.com/.

  2. whatever host you are using, if in 2019 it doesn’t support HTTPS by default at no additional cost it must be abandoned. Period. You should change host immediately.


Also I would suggest you delete those images of the DNS tab, they show your IP which is best hidden from the public.

Maybe I did a poor job of explaining, it is a platform I use to create my sites, I can use their domain (sub-domains which are HTTPS) but if I decide to use my own domain then I can publish using their hosting or transfer out the code and host it elsewhere. I cannot install a SSL certificate on their servers and that is the issue. So they recommended I use Cloud Flare since it does not require SSL on the host server.

That is why I am having issues.
After looking at my Crypto settings, what steps would you recommend, if any?
I have no choice but to use their platform at this time.

Jeff

Understood, I still stand by my point above. HTTPS should be on everything, regardless of the purpose. 127.0.0.1 or localhost should be the only exception. This is not really the point of the discussion and I can’t force you to do anything, do as you please :slight_smile:.

Follow the instructions above. I have already provided step-by-step instructions.

Matteo,
Your the best, I used the first step…no change but when I added the second step… it worked.

Thank you very much.

Jeff

The first step was to prevent the second step from breaking things. Without it everything would have returned the same page as the main domain did.

This topic was automatically closed after 30 days. New replies are no longer allowed.