Massive SSL/TLS mess - Cloudflare error page still after removing my site from Cloudflare service completely

This doesn’t look good

Something else, the main domain on the account, which has it’s own Lets Encrypt Cert and is not using CF. When you goto: webmail.domain.net it goes to the webmail login page but it’s not encrypted. That doesn’t seem right.

You configured an Origin certificate earlier, didnt you?

Right now that does not seem to be in place.

I didn’t remake one yet. But everything should have been covered under the origional origin correct? I mean it listed domain.com and *.domain.com which I would presume includes webmail.domain.com

I’ll try a new Origin

The issue is there is no Origin certificate, hence no wildcard either.

1 Like

Oh wait…that Certificate is issued by Lets Encrypt. With an expiration date of May 10. I bet a Bluehost technician did this. I deleted this Certificate after creating an Origin yesterday. It appears like it was installed around 10am today.

I follow you…I think Bluehost technician deleted the origin I installed and re-installed Lets Encrypt. Fixing this now…

That totally fixed it. Apparently the technicican that was supposed to “take a look at things” from a support call I made 2 days ago finally took a look. Deleted the CF cert, and re-installed a Let’s Encrypt cert sometime this AM.

Works fine now!

Thanks for the help again.

I know I’m late to the party, but I have a suggestion if this happens again.

I was hosted on Bluehost for years and they are a Cloudflare partner company. This means they offer push button integration with CF. Before SSL certs were free and http was more common, toggling CF off and on, or pausing it was much simpler.

Last time I used Bluehost’s integration there were certificate mismatches. I ended up writing a blog article about it and posted a link to it in Cloudflare Community. There were also DNS problems similar to what the OP described in this topic.

When you encounter DNS problems and cert mismatches after trying to integrate Cloudflare into your web host, via their integration system, and it goes bad, go to your cpanel and reset the DNS to default settings for your website. Also change the nameservers back to your webhost and edit your .htaccess to comment out or remove any lines pointing to Cloudflare. This has to propagate and you may or may not see the changes for a while. In my case I was able to see the changes relatively quickly, then work on sorting out the problems (which I blogged about).

1 Like

Thanks for reply. I’m going to try this. As the issue still persists. It’s bat-■■■■ crazy, makes no sense, and 4 Bluehost server technicians have told me it’s a CF issue at this point.

Here’s what’s going on…everything works fine with domain.com, the problem is with webmail.domain.com

I have a CF origin Cert on the server and NOTHING else at this point. I just deleted all the other SSL CERTS

If I go right now and install the CF Origin Cert, then webmail.domain.com works fine, along with domain.com, everything is gravy!!

But then like 24 hours later webmail.domain.com gets an error 526.

The only way to fix this is to go back into Cpanel, and re-install the CF Origin Cert again.

Then everything works fine for 24 hours, and then I’ll start seeing an errror 526 again.

I’m ripping my hair out literally over this at this point.

This is crazy, but issue still persists. 4 different 2nd level server tech’s at Bluehost are adament it’s a CF issue. Only fix is to re-install the Origin Cert. But then 24 hours later, bam! Error 526 again at webmail.domain.com (domain.com no problems)

Hi @seperatis,

I’ll be honest, I haven’t read all 109 replies to this thread, so apologies if I am going back over old ground!

I had a similar issue with a site I manage a short while back. It wasn’t Bluehost and I don’t know how their cert renewal works, but I can tell you what the issue was with mine!

My host had an autorenewal for their SSL cert that ran at a specific time every day. This checked for a valid certificate, if it didn’t find one it tried to issue a new one. I had installed a Cloudflare Origin Cert, but as the process thought it wasn’t valid (it isn’t outside of a Cloudflare context), it tried to replace it with it’s own cert. The renewal process failed every time, but it deleted the origin cert and I had to re-install it every 24hrs whenever this process ran. The fix in the end was to find a way in the cPanel to exclude the specific domains/subdomains from AutoSSL in my case. I don’t know if it’s possible that something similar is happening in your case.

1 Like

This is EXACTLY what I believe is happening. It’s the only thing that makes sense to me at this point. The problem is the server techs are Bluehost are morons I guess. 4 of them have now told me it’s a problem with CF and that they can’t even touch the certificates b/c I’m using CF DNS. (makes no sense?)

So the last message I sent (they will not allow call support with server techs), I said “Sir, Please explain to me how Cloudflare is accessing my Bluehost account and putting a Lets Encrypt Certificate on the server every day”?

I’ll check Cpanel, but not sure, as this is a shared hosting server not a VPN.

Thanks for the reply

It definitely sounds like they don’t understand Cloudflare very well!

The issue I had was on a site using shared hosting, but like I said I don’t know how Bluehost’s is set up!

In my cPanel I found the option under:

Security > SSL/TLS Status
It then gave me a list of domains and subdomains that AutoSSL was running on and let me choose ‘Exclude Domains from AutoSSL’ which is what I did.

Okay, found the settings you’re talking about but frak–The domain is listed there but there is an error and no option to exclude from auto-SSL

“Unknown Certificate Type”

I think you’re right though, this is the auto-mated process that is jacking things up

I see for all my other domains, the auto-SSL has already ran today.

Okay, progress. So I just re-installed the Lets Encrypt Cert. Which now allows me to tick the box “Exclude from Auto-SSL”

Yeah, Does yours look anything like this?

TBH, the only thing I can recommend is going back to Bluehost and laying down exactly what you think the issue is and hoping they can see it! If not, changing host is about the only other option :frowning_face:

yes, that’s what it did look like. I fixed by re-installing Lets Encrypt Cert and then I ticked that box that said “Exclude from auto-SSL”

Hopefully this will fix it.

My only question I guess, is that if this was the problem then why would the domain.com work fine but only the webmail.domain.com have the error 526? Any reason you can think of?

Excellent, hopefully when you re-install the origin cert, it won’t try to renew the cert that you don’t want now!

Exactly!

Only that perhaps, for some unknown reason, Bluehost tries to renew the webmail cert and not the one for the root domain…

Hmm…yeah. Guess I don’t really care as long as it fixes it! I’ll report back tomorrow and we’ll know for sure!

1 Like

No! Great, hopefully it will :slight_smile: