Multi level subdomain - Total TLS

Hi,

We really appreciate all those great contribution from all community members.
We really can’t find a solution right now.
We do have an active subscription of the Advanced certificate Manager.

Usually the case is, that Total TLS issues new certificates to any proxied hostname (Edge Certificates)!
We have mixed up some IPv4 addresses in our DNS A-level entries
We had entries like this:
sub.subdomain.example.com - 1.2.3.4
sub.subdomain2.example.com - 1.2.3.4

We have updated all DNS entries right now, waited 36 hours - right now all DNS entries are correct on cloudflares dashboard.
sub.subdomain2.example.com - 3.4.5.6 (update of IPv4)

Problem
Not all proxied hostnames in our DNS records receive a Total TLS (edge) certificate.

What we did so far:

  • purged cache
  • We have disabled Total TLS for around 4 hours, then enabled it again.
    Still not all proxied hostnames receiving a Total TLS (edge) certificate.
    sub.service2.example.com - 3.4.5.6 won’t receive a Total TLS (edge) certificate.

Any idea what else to do are very welcome!
Again, thanks all of you!

Does the impacted hostname appear on the Edge Certificates section of the dashboard at all?

Did you previously have a certificate for this hostname through Total TLS? If you deleted it manually, then Cloudflare assume you want to exclude it from Total TLS in the future.

Hi @michael,
thanks for your response!

Did you previously have a certificate for this hostnames through Total TLS?

Yes. We had.

If you deleted it manually, then Cloudflare assume you want to exclude it from Total TLS in the future.

We did delete this entry manually. Afterward, we tried to disable / enable Total TLS. You are right.

How to re-include these entries @cloonan and @michael?

Many thanks!

We did delete this entry manually. Afterward, we tried to disable / enable Total TLS. You are right.
How to re-include these entries @cloonan and @michael?

Hi Community Team @cloonan ,

We did delete Total TLS entries manually. This, as in our community discussion here mentioned, means, we have excluded some DNS entries to be issued by Total TLS.
Question no one still answers: How to re-include these entries?
Maybe @michael has an answer?

Therefore, it would be great to get a solution from the community Team before this ticket will be closed.

Many thanks!!!

P.S. Through the API call this is the response @michael @cloonan

{"success":true,"errors":[],"messages":[],"result":{"enabled":true,"certificate_authority":"lets_encrypt","validity_period":90,"status":"enabled"}}

We still have this problem.
We deleted all entries and waited one week.
After adding back “A entries” again, we still
do not get Edge Certificates issued by Total TLS for those entries.
Really no idea @michael or @cloonan ?

What is the name of the domain?

Hi @cloonan
e.g.

Any idea @cloonan @michael ?

None I’m afraid. Trying to find somebody who can definitively answer.

This would be really helpful if you can point someone to this thread! Many thanks!

This is what happened Deleting certificates after Total TLS was enabled. Unfortunately, there is no explanation on how to correct this user error! Is there still no idea @cloonan @michael ?

P.S.
Deleting certificates
Once you enable Total TLS, be careful deleting any certificates associated with proxied hostnames.

If you do, our system assumes you want to opt that hostname out of Total TLS certificate and will not order new certificates for the hostname in the future. This behavior applies even if you delete and re-create the hostname’s DNS record.

It really seems like there is no option to reset this faulty ‘opt out’ settings right now, what is very unusual. That is really odd to have no option at all to reset TOTAL TLS settings.
@cloonan would you mind taking a feature request of resetting TOTAL TLS settings from the dashboard.

Finally, the Support Team came up with this idea, if you have an active subscription of the Advanced certificate Manager .

Once you enable Total TLS, be careful deleting any certificates associated with proxied hostnames.

If you do, our system assumes you want to opt that hostname out of the Total TLS certificate and will not order new certificates for the hostname in the future. This behavior applies even if you delete and recreate the hostname’s DNS record

LINK:Total TLS · Cloudflare SSL/TLS docs

As per our internal team. The best path for remediation would be ordering an advanced certificate for these records.

LINK:Advanced certificates · Cloudflare SSL/TLS docs

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.