Is there any option to force cloudflare use Let's Encrypt for generate SSL on .com domains?

#1

Is there any option to force cloudflare use Let’s Encrypt for generate SSL on .com domains?

#2

Not on the Free or Pro plan, you’d have to go up to a plan where you can upload your own cert and then generate and upload a LE cert if you wanted to use them.

The (normal) CloudFlare ‘Universal SSL’ free certs are perfectly fine though unless you have a real fringe case?

#3

Why?
Cloudflare will provide a valid certificate for you already.

#4

I’m from iran, and here is some problem with universal ssl. but there is no any problem with let’s encrypt ssls.

#5

For my IR domains, there is let’s encrypt ssl. I want use let’s encrypt that cloudflare generated for my .com domains. there is no any way?

#6

AFAIK there used to be issues in an Iranian context with dedicated certificates. Universal ones should have been fine. Which issues do you experience?

If you are referring to the common Iranian connectivity issues on the other hand, that is not certificate related but Iranian ISPs seem to block certain Cloudflare IP addresses when it comes to SSL connections.

#7

This is my website : https://javabina.com and this is another : https://blogfa.com
everything is same, but blogfa.com is load fast and my website cannot be loaded. I cannot see any different between certificates.
I can share a video that how it works.

#8

They both load for me and both use Cloudflare certs. The certificate used won’t impact page load speed in any way.

Can you explain again why you think you need to use a Let’s Encrypt certificate?

#9

you can see this video. I show different between this two domain.
I want use let’s encrypt because our government never touched yet.

@sandro @saul

#10

Whats the output of

openssl s_client -connect 104.31.74.16:443 -servername javabina.com

To me this rather looks like the usual SSL issues in Iran.

#11

This is output

     CONNECTED(00000003)
    depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
    verify return:1
    depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni171597.cloudflaressl.com
    verify return:1
    ---
    Certificate chain
     0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni171597.cloudflaressl.com
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
     1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
     2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHwzCCB2igAwIBAgIRAJ/TBAiAFZ6uWa1ya7vtJuowCgYIKoZIzj0EAwIwgZIx
    CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
    BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
    Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
    MjAeFw0xOTA0MTAwMDAwMDBaFw0xOTEwMTcyMzU5NTlaMGwxITAfBgNVBAsTGERv
    bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
    dGktRG9tYWluMSQwIgYDVQQDExtzbmkxNzE1OTcuY2xvdWRmbGFyZXNzbC5jb20w
    WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARODriybZ2zZswnX+/SJbxEcfhYPIQ1
    JsStE+kgvSREU6BxOAkuc761DvHBHZcFLDdwYZ+jQ5VLroBYXPJKI60ao4IFwjCC
    Bb4wHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFPfX
    YYAkJmgda8nX61Il3Wzpe69/MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
    MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
    AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
    b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
    bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
    ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
    dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
    ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
    Y29tMIIDAgYDVR0RBIIC+TCCAvWCG3NuaTE3MTU5Ny5jbG91ZGZsYXJlc3NsLmNv
    bYISKi5ib29rc25iYWdlbHMuY29tggwqLmJ1dmlkZW8uZ3GCDiouY2xpY2ttaW4u
    Y29tgg4qLmZhcnZpc3VuLmNvbYISKi5nLWtpbm8tcmV2aWV3Lmdhgg8qLmdyYW5k
    ZXRlY3QudGuCECouaGFpZmFjaW4uY28uaWyCECouaHlwaXhlbC5ldmVudHOCDiou
    amF2YWJpbmEuY29tghMqLm1hcmphbmFzZ2hhcmkuY29tghcqLm1hcnhpc21jb25m
    ZXJlbmNlLm9yZ4IUKi5taXN0eXdhdGVyc2hvYS5jb22CDioucXNndW9nYW4ubmV0
    ghMqLnJvYmVydGtlbGxvZ2cuY29tghkqLnNvY2lhbGlzdGRpc2N1c3Npb24ubmV0
    gg4qLnRhcmJvdC5jby5pbIIRKi50aW9yZXNjcG9sZWIudGuCDCoudHdpemRpei51
    c4IMKi51YnFzYnJxLmdxghIqLnZhcmN1ZWdlbHBob2IuZ2GCDSoud29vZndhZi5j
    b22CEGJvb2tzbmJhZ2Vscy5jb22CCmJ1dmlkZW8uZ3GCDGNsaWNrbWluLmNvbYIM
    ZmFydmlzdW4uY29tghBnLWtpbm8tcmV2aWV3Lmdhgg1ncmFuZGV0ZWN0LnRrgg5o
    YWlmYWNpbi5jby5pbIIOaHlwaXhlbC5ldmVudHOCDGphdmFiaW5hLmNvbYIRbWFy
    amFuYXNnaGFyaS5jb22CFW1hcnhpc21jb25mZXJlbmNlLm9yZ4ISbWlzdHl3YXRl
    cnNob2EuY29tggxxc2d1b2dhbi5uZXSCEXJvYmVydGtlbGxvZ2cuY29tghdzb2Np
    YWxpc3RkaXNjdXNzaW9uLm5ldIIMdGFyYm90LmNvLmlsgg90aW9yZXNjcG9sZWIu
    dGuCCnR3aXpkaXoudXOCCnVicXNicnEuZ3GCEHZhcmN1ZWdlbHBob2IuZ2GCC3dv
    b2Z3YWYuY29tMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAu9nfvB+KcbWTlCOX
    qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFqB0a8HAAABAMARzBFAiBKzfQpQVTM/9+M
    n9+eOYFPoVmUJM28ehrmHlvtHJMvzgIhAI0hQTZV3iRHbIE/qX4tgfQ2crXzFyYT
    E3ODkwq8FRFwAHUAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFq
    B0a8MAAABAMARjBEAiAOm9pIW37uLRpafjj6YGqqt2MV2db0MDj7effHAzA3mQIg
    Uj1s4WJUP7hqU6WvlcUzhtKNzfYpOb/BzBjtCRRr/1IwCgYIKoZIzj0EAwIDSQAw
    RgIhAIXXXH1PMQeyOUqkXE+EAiqotXobeTFA1GeAgztXjlH5AiEAhZsl2KSDkb3U
    J+an4mqtARhoMaL2X5q0A4D9g9DjeO4=
    -----END CERTIFICATE-----
    subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni171597.cloudflaressl.com
    issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4217 bytes and written 394 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 256 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 
        Session-ID-ctx: 
        Resumption PSK: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1557835112
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    ---



    closed

I know this issue exist in IRAN, and I want change type of ssl to let’s encrypt to pass this issue

#12

And another things, my friends tell me maybe this is not a ssl issue, I turn it off and website work perfect. this is 100 percent ssl issue that we have face with it. :((

#13

Interesting, it seems the SSL handshake actually succeeds.

What happens if you run the previous OpenSSL command again and - once the handshake is done - send this by typing it into the console

GET / HTTP/1.1
Host: javabina.com
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Followed by two returns.

#14

https://countryforkids.co.uk seems to be on the same IP address. Does that site load for you (it only shows a “sorry” default page)?

#15

I see this

I try to run previews procedure that you tell me

#16

This is certificate details

#17

So you seem to be able to access the IP itself. Unless there really is some issue with the certificate (which I would rather dismiss, also because OpenSSL could process it) my only guess at this point could be some SNI filter (though that seemed to have worked on OpenSSL too). Could there be any reason why the Iranian government might want to block your site?

#18

just close …

#19

Was the “closed” immediately? You need two returns after the user agent line.

#20

There is not any reason for iranian government to block my website. I have same issue on my other domain : https://marjanasghari.com


I CANNOT SEND ANY REPLY ANYMORE

not, after 4 or 5 second. when I try now, there is no any output after 2 minutes

@sandro

@sandro this video