Invalid certificate error after switching from AWS to Cloudflare

After switching to Cloudflare DNS, I got an invalid certificate message when I tried to access my website.
More precisely, this is the message I got. It seems that my app is expecting my website’s normal SSL certificate and can’t recognize the SSL cert issued by the Cloudflare CDN server: The certs sent out by Cloudflare CDN has ssl953255.cloudflaresssl.com which is not recognized by my app since it is expecting the normal ssl cert send from my website and not one with “cloudflaressl.com” How should I solve this? Please help.

regards,
richard

On the Crypto tab of the Dashboard, what does it say beside: Universal SSL Status?

It should look like this:

04

1 Like

It is showing a green dot and “Active Certificate”. Was it failing because in the beginning the Universal SSL status was not ready? Because it say it can take up 24 hours after site become active before certs to issue. I have already switch the DNS back to our AWS DNS service. If I switch it again now, will this “invalid certificate” error come back?

thanks,

richard

Cloudflare certificates typically have your domain not in the CN but among the SANs. Check if your client actually supports that.

Whats your domain?

Hi Cloudflare,

Our domain is .legion.work and it failed to access enterprise.legion.work.

regards,

richard

Cloudflare issued a proper wildcard certificate for you, so the host in question should work. That is of course only if your client takes SANs into account.

These Cloudflare certificates are for communication between the cdn and the client. They don’t have to be installed in the client or the webserver, is that correct?

regards,

richard

True, they cant be installed on the server at all, they only stay within Cloudflare. Cloudflare’s origin certificates could be used for that purpose.

I recall that there is a short period of time between when the zone is added to the account before a “real” certificate is issued. It is possible that you encountered the error as your Universal SSL certificate was not yet active.

As Sandro has said, if your client does not support SANs you are in trouble. The Common Name (CN) is no longer required, according to the Baseline Requirements it is:

Deprecated (Discouraged, but not prohibited)

Certificates for your zone where issued on 17th June at approx 21:36:30 UTC (according to crt.sh). Does that match the time you saw the error, which is just before you started this thread?

I see on the CRT logs that you had certificates for *.api.legion.work. The Cloudflare issued free certificates only cover one level of your domain, so legion.work or api.legion.work would be fine, example.api.legion.work would cause an error if :orange:, so make sure you are not using such subdomains through Cloudflare without a Dedicated Certificate.

Right now the certificates being hosted on Cloudflare for your domain look OK to me:

michael$ openssl s_client -connect cloudflare.net:443 -servername enterprise.legion.work | openssl x509 -noout -text | grep DNS: DNS:ssl953255.cloudflaressl.com, DNS:*.legion.work, DNS:legion.work

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.