My hosting company

Answer these questions to help the Community help you with Security questions.

What is the domain name? antiquescientifica.com

Have you searched for an answer? yes, on the development page and with support from the hosting team

When you tested your domain, what were the results?
https://www.sslshopper.com/ssl-checker.html?hostname=antiquescientifica.com

Describe the issue you are having:
the hosting company installed the public/private key and the chain / root certificate for cloudflare but it still won’t validate

What error message or number are you receiving?
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.

Was the site working with SSL prior to adding it to Cloudflare? with a different SSL certificate which had expired and it was removed to add the cloudflare shared SSL

Have you tried from another browser and/or incognito mode? yes same result

what issue could be preventing the certificate from validating? the SSL mode is currently on Full/Strict

the hosting company is hostway

Welcome to the Cloudflare Community. :logodrop:

That is not necessary. The root certificate should not be presented by the origin server. It is already known to the Cloudflare proxy trust store.

You will not be able to validate a Cloudflare Origin CA certificate with public certificate testing tools. The Cloudflare Origin CA root is not publicly trusted, nor is it meant to be. It is intended to be trusted by the Cloudflare proxy and is used to secure traffic exclusively between your server and Cloudflare.

You do have other issues in your origin SSL configuration that you should fix, notably the insecure TLS 1.0 and 1.1 protocols that are enabled, and the aforementioned Cloudflare Origin CA root certificate that should not be served.

3 Likes

So, the Cloudflare Origin CA root certificate should be removed? I don’t understand why it’s not showing as secured.

I changed the Minimum TLS Version to 1.3

what should I do to get this active because I’ve changed or altered the SSL settings in every different possible way but nothing seems to validate it

Please define what you mean by

Remember that the Cloudflare Origin CA certificate is only recognized by the Cloudflare proxy. This means that Unknown Issuer warnings are expected when you have Cloudflare paused or set to :grey: DNS Only.

Yes. You should never send the root to the client. The client needs to have the root in its trust store. Sending it is wasteful and unnecessary.

You might want to also allow TLS 1.2. It is still secure and you may have vistors that cannot use TLS 1.3.

The test results I shared indicated that your site was secured. What makes you think it is not?

if you look at https://www.sslshopper.com/ssl-checker.html?hostname=antiquescientifica.com

you’ll see there is a break in the chain it’s showing as not fully secured and that the certificate is not valid with the error

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

I changed the TLS to support 1.2 and i’ll instruct support to remove the root chain certificate but they insist they need it I just need the site to go green

The Cloudflare Origin CA certificate is not a publicly trusted certificate and will always display that trust error. To make sure that your visitors do see any error, you need to make sure that the hostname is set to :orange: Proxied in your Cloudflare dashboard DNS app.

1 Like

the root certificate has been removed and all the A type are proxied i’ve even unproxied and then proxied again to reset. the mx records show the exclamation error saying the records expose the ip of the proxied ip addresses.

what am i doing wrong here i’m missing something everything looks like it is set the way it should be but yet it’s still not showing as a valid certificate

Side note: after looking maybe this is an issue?

This is what i gave the hosting company

Origin Certificates

Generate a free TLS certificate signed by Cloudflare to install on your origin server.

Origin Certificates are only valid for encryption between Cloudflare and your origin server.

this is installed on the server is this the problem?

As long as you have your mailserver on the same IP as your proxied website, that notice will be present. It is an informative message, not a critical warning.

No. That is where the Cloudflare Origin CA certificate is intended to be installed.

You might have mentioned that your domain is not active in Cloudflare. That’s the underlying cause of your problem.

whois antiquescientifica.com
...
Registrar: Register.com, Inc.
...
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET

You need to replace those Hostway nameservers at your registrar with the two assigned in your Cloudflare dashboard DNS app.

1 Like

Ok, let me repost my last reply.

maybe i had the name servers wrong.

So We have Register.com as the domain provider
Hostway as the hosting site
and then Cloudflare as the dns provider.

So, I need to put Cloudflare NS on Register where does the Hostway nameservers go? on cloudflare correct?

They go nowhere. You do not use them.

Ok, updated Register has CF NS and when i log in to hostway there is a section for NS there as well currently listed is the hostway NS do i just remove the NS or replace it with the CF NS there as well if I do that how does CF and Register know where the website is being hosted at if it’s not being pointed at hostway

I have never used Hostway and their documentation is slightly unusual. I don’t know why you would need to enter your Cloudflare nameservers in their panel, This page sounds like they may expect it, but lacks sufficient clarity.

Register doesn’t and has no need to. That is not part of it’s role. It just tells the root nameservers what nameservers know about your domain. Those are now set to be the Cloudflare nameservers and they will know where your website is because you will create the necessary DNS records with that information.

Appreciate your time, I’ve made so many different changes and swapped so many different settings but something I recently did with your suggestions no doubt has solved the problem because I’m getting the “site secured” and a valid certificate response.

Thank You.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.