I’ve talked to my hosting, and they referred me back to Clouldflare, as they don’t know these things in particular. Just don’t really want to mess with so many DNS records I have to first try to imort them, and potentially move them back, if there won’t be SSL.
What feature, service or problem is this related to?
Nameservers
What are the steps to reproduce the issue?
Just initiate moving top-rated.team to Cloudflare NS and see this warning.
From the screenshot your domain is still “pending”. Cloudflare cannot generate certificates until the site’s state is “active” so you need to update the nameservers at your registrar to the 2 allocated Cloudflare ones… https://cf.sjr.dev/tools/check?ef76930cefe2430d88fdb8c39152837e#whois
You may want to set the DNS records to “DNS only” (or pause Cloudflare) to avoid downtime between changing the nameservers and the issuance of the edge certificate.
Make sure you have working SSL on your origin and use Cloudflare’s “Full (strict)” SSL mode so your site is fully secured.
Thanks for your reply, @sjr . If I change NS to Cloudflare, then hosting won’t provide me SSL. This is why I need SSL on the Cloudflare side. Will it be issued, once (or in some time) I change nameservers to Cloudflare even so I have free Cloudflare package?
Using Cloudflare SSL to front a non-SSL origin is a bad idea. Connections between Cloudflare and your origin will not be encrypted if you do this, deceiving your users that their connection is secure when it is not.
Consider using a host that can give you SSL on the origin or, if the problem is with certificate generation at their end, you can get an up-to 15-year free origin certificate from Cloudflare (requires use of the proxy).
Or you can use a Cloudflare tunnel on your origin so the unencrypted HTTP traffic is wrapped in an encrypted tunnel.
This is very helpful @sjr . I know even understand another issue with my another domain. Could you please forward me with the links about both things to get:
Consider using a host that can give you SSL on the origin or, if the problem is with certificate generation at their end, you can get an up-to 15-year free origin certificate from Cloudflare (requires use of the proxy).
Or you can use a Cloudflare tunnel on your origin so the unencrypted HTTP traffic is wrapped in an encrypted tunnel.
Hi again @sjr . I was able to solve the issue for the case of VPS. However, I also need to solve the same SSL issue for a couple of other shared hosters.
While I’m still waiting for reply from another one, this is what I have from hyper.host:
This is what they replied about tunnel solution or Lets Encrypt way to go:
I’m afraid it is not possible on shared hosting, and the free SSL certificate is only available if the domain uses our Nameservers, otherwise, you need to consider an external SSL certificates, Please check this link : https://cp.hyper.host/order-ssl
And again this is what they replied about your origin CA certificate:
You will need to purchase an external SSL to be able to use it, to be able to use the free SSL you will need to use our nameservers.
Isn’t your origin CA certificate and external enough for this?
Thank you once again for helping me to navigate through all this!
Sorry again, I’m asking all this in advance instead of trying it all by myself: just don’t want to move quite a lot of DNS records, as long as they are apparently not detected by Cloudflare while I was trying to switch nameservers.
You should be able to install a Cloudflare Origin CA certificate the same way that you would install a certificate that you purchased from another CA.
Do note that a Cloudflare Origin CA certificate is only trusted by the Cloudflare proxy. This means that direct connection attempts will exhibit an Unknown Issuer warning. That is expected and will not be seen by your visitors as long as your hostname is proxied.
proxied.