Invalid SSL certificate - chain breaks somewhere

Hello,

For the past week, I have been trying to secure a valid SSL. I am using wordpress and Cpanel for my website, I have added countless times the new certificates and keys, and I have used the Certificate Authority Bundle found here (Managing Cloudflare Origin CA certificates – Cloudflare Help Center). I have purged the cache for my website and my browser.

I am not sure if I am doing something wrong and if I’m supposed to change something.

Thank you!

Is your domain using Cloudflare?
I see the nameservers are not yet or changed or the change of the nameservers haven’t yet propagated?

;QUESTION
retetefaragluten.ro. IN NS
;ANSWER
retetefaragluten.ro. 21599 IN NS ns1.gazduire.ro.
retetefaragluten.ro. 21599 IN NS ns2.gazduire.ro.
retetefaragluten.ro. 21599 IN NS dns.gazduire.ro.

Your A records seems not to be proxied via Cloudflare (:orange:)?

;QUESTION
retetefaragluten.ro. IN A
;ANSWER
retetefaragluten.ro. 599 IN A 188.214.19.2

Could you please re-check if you have :orange: DNS records (A www A yourdomain, or if using CNAME) at your Cloudflare dashboard for your domain www.retetefaragluten.ro? (needs to be proxied via Cloudflare)

Moreover, since you are using Cloudflare Origina CA certificate for your domain, kindly may I ask if you have selected Full SSL (Strict) option under SSL tab at Cloudflare dashboard?

Due to cPanel usage, I hope you have correctly installed the certificate. Were there any issues regarding the process?

Hello,

The Cpanel process went flawless.

My hosting providers told me to use their website nametags in order to be able to use the email that they provide (the email was not working when I was using the cloudfare nametags

1 Like

Have you checked your nameservers for your domain at your domain registar?

What are they showing?
Are they pointed to Cloudflare nameservers?

Moreover, from the screenshot above, kindly remove the CNAME mail record.
Add new A mail record and point it to your IPv4 address and make sure that record A mail is :grey: (DNS only) cloud, otherwise your e-mail services are not going to function propperly.

For help “How to manage DNS records at Cloudflare” see the below articles:

https://support.cloudflare.com/hc/en-us/articles/360019093151-Managing-DNS-records-in-Cloudflare

Regarding the e-mail service, Cloudflare does not proxy e-mail traffic as the cited below:

If you have an MX record of “mail.domain.com”, then the A record for “mail.domain.com” must have a “grey-cloud” icon next to the DNS A record as demonstrated in our support guide for managing DNS records in Cloudflare.

Also why would be needed to do it that way, kindly check on the below article:

https://support.cloudflare.com/hc/en-us/articles/200168876-Email-undeliverable-when-using-Cloudflare

1 Like

You can use Cloudflare for your domain/website and yes, your e-mail can work even when you use Cloudflare services. Just make sure to follow the posted instructions regarding how to make your e-mail work.

Cloudflare cannot work for your domain if you do not change nameservers - that is the only “main” thing about it :wink:

To use Cloudflare as your authoritative DNS provider, you must update the nameservers at your domain registrar so that your web traffic routes through the Cloudflare network. This video explains how to change your nameservers at your domain registrar when adding your website to Cloudflare.

Just to be sure that I understood correctly, I should change the nameservers back to the ones provided by cloudfare, then add a record A mail with a grey cloud by it, and everything should be ok? :slight_smile:

I have updated the nameservers and the mail.

Exactly, yes.

I believe yes. The A mail record should contain the IP address of your e-mail/hosting provider (maybe it should be the same as 188.214.19.2 and not 79.117.254.179 - if this one is your IPv4 address from home network or I am wrong and this IP address is actually from your e-mail server/hosting?).

Try leaving the value as is “dc-…” and check later if you can send/receive e-mails.
Of course, at your e-mail client (like Outlook or Thunderbird, or some other) for “incomming/outgoing server” use the hostname mail.retetefaragluten.com.

From the screenshot above, I am just not 100% aware if a MX record for your domain points to a good location? - I have not used a lot “hostnames” like “dc-something.domain…”.
Due to most situations the MX record under “content” has got a value like mail.yourdomain.com (priority either 0 or 10).

Also, from the provided screenshot, kindly to make sure you can connect to your FTP (either using FileZilla or some other FTP client), this one record should also be :grey: cloud (DNS only) - so, just click on the :orange: near FTP to be it :grey:.

That is the right way, yes.
Now when I check I see Cloudflare nameservers as a response (if not yet, will be in few hours due to the DNS propagation):

;QUESTION
retetefaragluten.ro. IN NS
;ANSWER
retetefaragluten.ro. 21599 IN NS dawn.ns.cloudflare.com.
retetefaragluten.ro. 21599 IN NS kianchau.ns.cloudflare.com.

It was indeed my home network, but I cant make it DNS only with this address 188.214.19.2

Ok. Yes, then it should be the address of your e-mail provider/hosting.

May I ask why not? Any concerns due to security or?

I get an error saying that “This record exposes the IP behing ftp.retetefaragluten.ro which you have proxied through Cloudfare. To fix this, change its proxy status.”

Bro by the way I really appreciate you taking your time with this matter!!

1 Like

About that one warning, to make sure your e-mail and FTP would function well, here is an article with detailed information about it:

However, there are times when some of your DNS records need to remain grey-clouded. For example:

  • A, AAAA, or CNAME records used for mail traffic must not be orange-clouded because email routing won’t pass through Cloudflare’s proxy.
  • When you have to host multiple services (for example, a website and email and ftp) on the same physical server

https://support.cloudflare.com/hc/en-us/articles/115003687931-Warning-about-exposing-your-origin-IP-address-via-DNS-records

In terms and concerns of security and other due to “exposing IP address”, instead a better practice is to use a third party mail service (such as Zoho, or Google Apps, etc.), or have your e-mail server running on a different IP.
You can then point the MX record to the new record or mail server not located on your machine where your website is hosted, and keep the real IP hidden safely.

Furthermore, currently in your situation I believe this is not a case so you can safely ignore the warning for now.

Hello again, unfortunately, I am not able to receive any emails.

IS this the place where I should change the settings from?

That one is more interesting because for an SSL says you should use loki.gazduire.ro for incomming/outgoing (POP3/SMTP).

Obviously, yes, you should use that one in your e-mail client (Outlook, Thunderbird …).

Also, I see you are using cPanel, kindly, can you also check what value have you got for “MX” under "DNS zoneyourdomain.com → click on the button “Manage”?

  • the same value should be (maybe CNAME, but as already stated you should use A mail at Cloudflare … if so?)

An example here:

Screenshot_2021-03-26 cPanel - Main

Screenshot_2021-03-26 cPanel - Zone Editor

Now I’m getting a 522 error every time I load a new page in WordPress. This being the reason why I have changed the nameservers to the ones from my host. Do you know what I can do to fix this error without changing the nameservers?

Regarding error 522, what SSL option have you got selected at Cloudflare SSL settings/tab?

https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error

Moreover, I have tested and Website is loading fine and working correctly at my end.

Can you confirm?

It indeed works, but there are times when I cant even create a new article in wordpress, because I’m getting that error. Could you please tell me what exactly I should do in cPanel to be able to get emails?
Thank you so much!

1 Like

Could be due to some extension, or something “hangs” due to possible time needed for a script or some SQL query to execute.
Or, maybe you would need to look at a debug.log file for your WordPress, maybe some errors would “pop-up” when you enable debugging in WordPress.
Moreover, just as an indication, check your PHP settings and try to tweak/tune them to suite even better.
And a recommendation is to use some caching with WordPress due to if some high traffic spikes or some webpage has got a lot of work to do (for example news page or similar, which needs an direct access to your MySQL database via Ajax, etc.).
Kindly, have a look up at your PHP settings and if any errors show.

Kindly, due to cPanel usage and your e-mail service, could you please check your A mail record and edit your existing MX record at Cloudflare DNS dashboard and make it be:
Kindly, make sure you have this two records setup at your Cloudflare DNS dashboard as:

  • A mail with content 188.214.19.2 :grey: cloud (DNS only)
  • MX retetefaragluten.ro with content mail.retetefaragluten.ro, priority 10

And also make sure to use mail.retetefaragluten.ro as an incomming and outgoing (POP3/SMTP) server when using your e-mail client (like Outlook, Thunderbird, etc.).

Wait for few minutes to apply the changes.

Thank you so much for your patience, my email is finally working!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.