Let's Encrypt SSL issues

ssl

#1

Hello.

Today I installed my Let’s Encrypt certificates & uploaded them to my cPanel (not Cloudflare). When I try to browse the site, it’s offline. I tried to switch subdomains to DNS only, and it worked.

But well, not all subdomains work. Only 2-3 work, with an incomplete chain also.

So, what should I do? Should I just wait until certificates initialize or do I have to re-try everything? I have Full (strict) mode. And how can I still make the connection to go through Cloudflare?

Thank you.


#2

Can someone please give me an answer?


#3

What’s the SSL status on your Cloudflare Crypto page? It should be Active Certificate.

What’s your domain?


#4

I have set it to Full (strict), but it says nothing and also refuses to access the website.

I didn’t upload it because I am on free plan, but I activated that certificate on my host’s cPanel. I also disabled Universal SSL so mine could work properly, but it’s not.

And my domain is nt-rblx.cf, it still uses Universal SSL instead of mine.


#5

If you go through Cloudflare, visitors are not connecting to your origin server that has your SSL certificate. They connect to Cloudflare’s server, which then connects to your server to pull content.


Right now, I’m getting a secure connection to your Cloudflare proxy, but it isn’t making a successful secure connection to your server. Try SSL Full (not strict). It could be that the certificate on your server doesn’t match up with what Cloudflare expects it to say.


#6

It would be better not to turn off security, if at all possible, though.

If the origin’s certificate chain is incomplete, that would stop it from working, I think.


#7

certif

I can access the site now, but it still uses the Universal SSL instead of my own SSL that I activated on my cPanel, I’ve already disabled Universal SSL.


#8

How have you disabled Universal SSL? If you’re seeing a Cloudflare SSL certificate, it’s using Universal SSL.

And unless you’re on a Business or Enterprise plan, you can’t use your Let’s Encrypt certificate on Cloudflare.


#9

It’s my understanding from all these tutorials I read on the web that it is possible to install Let’s Encrypt on my hosting provider’s server, set Full Strict SSL on Cloudflare, and it should work with my Wordpress site (Where I changed my address from http to https). However it is not working for me as well. If I disable Cloudflare I can see the Lets Encrypt certificate, but if I enable it I get:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

So, you are saying that this is impossible with the hosting companies free version of Cloudflare? Or is there something additional I need to do? Other than upgrading, is my only other option to use the “Cloudflare origin CA”? This is a personal website, so I don’t “have” to have ssl, just nice for SEO.

I don’t mean to hijack the thread, it is just that the forum will not let me post anything new because I am a brand new member. It may help the OP as well.


#10

It sounds like you set up your Cloudflare configuration using a hosting partner’s panel, correct? Some partners have different configurations that add some challenges.

Your basic setup sounds proper: A genuine Let’s Encrypt certificate on your server, and Full Strict SSL at Cloudflare. Do you have access to the Crypto Tab for Cloudflare? It should tell you the SSL status, and it should be “Active.” Not “Pending” or some other non-functioning status.


#11

Thanks for the reply. Yes I set up Cloudflare using the hosting partners cpanel. I have been using it for the last couple of years; makes a huge speed difference. However, I log into Cloudflare to make any changes as there are more features, and changes work properly/faster there in some instances as opposed to using cpanel or the WordPress plugin. The crypto tab in Cloudflare shows the Universal SSL as active, all others inactive; also, not saying there should be, but there is no listing for Let’s Encrypt.


#12

What’s your domain?


#13

I left https turned on earlier today, so you will be able to see the issue.


#14

Not sure it helps, but one thing I noticed today is that when I test for the certificate using ssllabs:

https://www.ssllabs.com/ssltest

roadramblersmc.com returns the certificate, passes all tests, and points to what looks like a hosting ip.

www.roadramblersmc.com fails and points to a Cloudflare ip.

Crashing for the evening and will check back tomorrow.


#15

It looks like you’re using a CNAME setup. This is most likely the cause of the mismatch because your domain’s Cloudflare Cert is probably issued to [*.]roadramblersmc.com, but your DNS shows it as being www.roadramblersmc.com.cdn.cloudflare.net.

Can you change your DNS entries here to use an A record that points to your server’s IP address?

Your roadramblersmc.com DNS entry points directly to your origin server, and not :orange: through Cloudflare. The good news is that this makes it look like it’s possible to get this all working with minimal hassle.

p.s. I’ve seen other Cloudflare users with a similar CNAME setup. How was this set up? I suspect it’s through a Hosting Partner that uses the CNAME setup, which is problematic.


#16

This was done through cpanel, but not by me manually. I imagine the cloudflare program in cpanel did it when I used it to set up Cloudflare. By the way, should I get rid of the Wordpress cloudflare plugin; is it just adding extra complexity and a problem waiting to happen. I can always go directly to the Cloudflare website?

OK, as for the DNS entires that are set up in cpanel. I am going to need some help with this as I am not sure which ones to delete and/or change, and what to change them to. There are a ton of listings there, but the following three look like the appropriate ones (that don’t deal with mail, webmail, cpanel, etc):

  1. = roadramblersmc.com. 1800 IN A 198.20.92.30
  2. = www.roadramblersmc.com. 1400 IN CNAME www.roadramblersmc.com.cdn.cloudflare.net
  3. = cloudflare-resolve-to.roadramblersmc.com. 1400 IN CNAME roadramblersmc.com

I have a, I think, an unrelated item that I don’t understand. I have another website (www.flaminghellmet.com) that I will be converting next to https after I get this one working. It has the equivalent listings as above in the cpanel DNS entries. However it has some very strange listings as well, that I don’t understand their purpose. It is a combination of both websites, with the domain names roadramblers.flaminghellmet.com and www.roadramblers.flaminghellmet.com as shown below. I did create a subdomain for roadramblersmc so I could have two websites on the same hosting account, so are these the listings required for that?

  1. = roadramblersmc.flaminghellmet.com. 1400 IN CNAME roadramblersmc.flaminghellmet.com.cdn.cloudflare.net
  2. = www.roadramblersmc.flaminghellmet.com. 1400 IN CNAME www.roadramblersmc.flaminghellmet.com.cdn.cloudflare.net

#17

For roadramblersmc, Entry #1 should be :orange: (I hope it lets you enable that)
Entry #2 should be a A record with an IP address, just like Entry #1. Again, with :orange: (Cloudflare Enabled)
Entry #3 looks superfluous. Is there anything else in DNS that refers to cloudflare-resolve-to.roadramblersmc.com?

Cpanel does funny things (not really) to Add-On domains. It literally adds them onto your main domain. Dunno why, but I don’t like it. Ignore those entries.


#18

EDIT (SOLVED): HOORAY IT WORKED, thanks to @sdayman!!! Two minutes later and the DNS propagated. I can’t thank you enough for the time you spent on this. This was driving me crazy. My website now shows up, I now have the green padlock marked as secure, and the Let’s Encrypt certificate is present. Would the proper thing to do now be to set “Always use HTTPS” to on? I read where it is better to catch this at Cloudflare rather than later in the .htaccess file? I still will also go through my site to make sure http isn’t present anywhere as well, then fix Google Analytics, fix Google Webmaster tools, etc., etc., etc.

EDIT: SOLUTION: I changed www.roadramblersmc.com to look like roadramblersmc.com (1800 IN A 198.20.92.30) using the zone editor per what @sdayman stated in the previous post. In the Cloudflare cpanel app they were already turned on (It is now an ON/OFF switch that turns GREEN when turned ON). Now I just have to wait a while for the new DNS entry to propagate.

Those cloud pictures used to be in the very old version of the cloudflare app in cpanel when I first set up cloudflare like 3 years ago. With regards to DNS entries in the cloudflare app, all that is available now in version 7.0.0 is the capability to turn DNS entries on or off, not to make any changes (I imagine that is the equivalent of the colored clouds). The listings I gave you in my previous post are from the Zone Editor app in cpanel, not the cloudflare app.

So, in the cloudflare app under “Domains” there are slider buttons for the items to use for cloudflare. The ones that are turned on (The title “Use Cloudflare”) are:

CNAME roadramblersmc.com.
cloudflare-resolve-to.roadramblersmc.com

with a TTL of 1

and

CNAME www.roadramblersmc.com.
cloudflare-resolve-to.roadramblersmc.com

with a TTl of 1

All the other listings there are for cpanel, ftp, mail, etc.


#19

Glad that all worked for you.

If you’re fully on the HTTPS bandwagon, then be sure to turn on Always Use HTTPS. It saves visitors an HTTP hop to your origin server.


#20

Oh yeah, the Wordpress Cloudflare plugin. I don’t use it. I’m perfectly happy going directly to Cloudflare to mess with stuff, and it’s one less thing to break on my Wordpress sites.

But if you like the convenience of its features, go ahead and stick with it for now.