Uh, I feel so stupid, and am a bit out of my depth here.
I needed to move a site to a new server. Six months ago I set up HTTPS through Cloudflare (free account). Tonight I stupidly updated the name servers to the new hosting account, rather than doing it through Cloudflare. Now the site is inaccessible, because I set up HSTS back in the day (following Troy Hunt’s advice).
I quickly changed the name servers back to point to Cloudflare, but the damage seems to be done. I’m getting an invalid cert warning, because the browsers have all picked up an unsigned certificate from the new host. I don’t seem to be able to get back to using the Cloudflare cert.
Is there anything I can do here? I’m a bit lost, and feeling very incompetent!
Thanks for any help.
What is the domain name? That is probably the best thing to provide for some troubleshooting…
Thanks matteo. It’s schoolofphilosophy.org.au.
I’ve tried to set everything back to the way it was, but in the short space of time the domain was pointing at the new host, it picked up an unsigned cert from the new host (Media Temple), and now I’m not sure how to get the browsers to see the original Cloudflare cert.
It’s working just fine for me. Have you tried clearing your DNS and browser caches?
O wow, it’s just come back for me too. What a relief.
So everything is back to the way it was — including the site being on the old server. I wonder if it’s safe now to try switching to the new hosting, but this time through Cloudflare.
Is the best approach just to change the IP address on this line—that is, change to the IP of the new server? Or is there something else I need to do?
A schoolofphilosophy.org.au IP Proxied
Thanks for helping with this. I’m grateful just to have someone else to talk to, as it’s the wee hours for me here!
The best approach is switching IP. Make sure that the configuration is identical regarding TLS certs. If you are on Flexible make sure it goes to HTTP on the backend (this is really not recommended, add a certificate there), if on Full (or Strict) make sure you have a cert even self-signed (or valid) there.
Okay, thanks. Hah, I remember those settings, but can’t for the life of me find them now (flexible etc.) Any tips on where to find them?
When you mentioned clearing DNS, could you clarify what you mean there? I’m not sure I’m doing the right thing. Just noticed the site is still bombing out in Firefox.
EDIT: ah, sorry there it is under SSL/TLS. Must be blind.
It could be that the cache of Firefox is keeping the replies to DNS queries and, if the other provider had some long TTL on theirs, it could stay there for a while.
Okay, thanks for that. Firefox was okay half an hour ago, but even following those tips you linked to still is blocking the site again now. So is Safari, Vivaldi … Hm. At least Chrome isn’t now. I guess I’ll wait a few hours, though I’m a bit scared of changing that IP address just yet. Maybe I’ll leave it a day.
Once again, thanks for your hand holding! It’s made my night of horror easier to bear!
Once it’s behind Cloudflare’s proxy it won’t actually matter to the end users. They will continue to see the same IP, it will change it the backend basically instantly (~5s).
Great, thanks for that reassurance.
One more question, if I may. I’ll be handing this site over to another dev fairly soon, and I wish I had set up this Cloudflare account just for this site. (Instead, I have a few other sites in the same account.) I was wondering if I should set up a new, separate CF account just for this site, but after this mess I’ve got the heebie jeebies about attempting that. If I just closed off this account and set up another one straight away, with the same settings, do you think things will be okay (apart from maybe a few messy hours)?
Or does that sound just crazy?
I would recommend just simply create a new account and add this domain before deleting it from this account. Set everything up there correctly (DNS, TLS and all everything, basically copy page per page from this account) and then simply switch NS at the registrar. They will be different by design and the new account will get priority.
You could add yourself as an admin in that account and edit it with one single login.
Okay, fantastic. Thanks again, @matteo! I really appreciate your time.
Don’t delete the domain from the old account until at least it says it has been moved or wait and it will go away by itself after a bit.
Out of interest, what browser(s) did you check the site in? I’ve just tried a few different devices, and no dice (iPhone, iPad etc), as well as the other browsers other than Chrome on the laptop. Just still a little nervous that all’s not fixed yet.
I used Chrome, but Safari works too.
Are you on Windows, macOS or Linux?
I’m on macOS. But I just tried my mobile with wi-fi turned off, using mobile data, and it’s okay, so I guess my ISP is once bitten, twice shy. Fingers crossed.
Try, on your ISP’s connection, opening Terminal, running
dig yourdomain.com and paste here the output…
Ooh, that’s a cool thing to do. This is what I got (assuming I did the right thing):
; <<>> DiG 9.10.6 <<>> schoolofphilosophy.org.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58801
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;schoolofphilosophy.org.au. IN A
;; ANSWER SECTION:
schoolofphilosophy.org.au. 17626 IN A 126.96.36.199
;; Query time: 2 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Sep 10 10:07:59 AEST 2019
;; MSG SIZE rcvd: 70
Yep, your router still has the old IP ~17500 seconds. It should report two pretty similar IPs, not one.
Try restarting your router (which is the DNS server), it may clear its cache…