My SSL won't work and the site now throws errors

Ever since I moved my site to a new host and got my own Cloudflare account things have not been right. I got my DNS zone files and made sure my CF settings were the same as my previous designer’s. I have connected everything and it was working fine for 3 days now for a bunch of people the site shows this error:

Error 1000 Ray ID: 5053a01fef3982e3 • 2019-08-12 15:54:01 UTC

DNS points to prohibited IP
Although some people can see the site just fine.
Also it shows as insecure even though it says my Universal SSL is fine in the settings. What is going on? Can anyone help? I have tried all sorts of things with no luck.

My support ticket is 1732945.

I created a lot of sites way before than I became a breeder. What I usually do when I moved hosting is I deleted the site in Cloudflare, go to the domain name registrar, change the name servers using from the new hosting provider.

Wait for it to re-propagate using the new hosting ip address. You can also check free DNS lookup out there to know if the propagation has been complete, because sometimes, your browser is slow to clearing cache and cookies. Hence I wait for 24 hrs or I reset my router and flush dns.

So once the site is working under the new hosting servers, then I re-add the site in Cloudflare account. This time, Cloudflare will sniff the new hosting’s ip addresses.

There’s probably too much conflict going with the migration. It’s best to start from scratch than trying to debug it. If you’re not that tech savvy or if you don’t mind waiting for the support, then my above suggestion will work.

ETA: Btw, I forgot to ask, what CMS platform you using?

1 Like

Yes we did that. I actually just got off of Chat with Siteground and it appears we fixed the issue. Somehow when I uploaded the DNS files our designer sent me it put too much info in the records so I deleted some things and it seems to have cleared the issue. They also added a change to my htaccess file so the SSL would work properly. I am using WordPress. Thanks so much for the feedback. If we have more problems I may do what you suggested and try to start over from scratch.

Also one last thing maybe you have insight into - there is one more issue to solve with the https://www. version of the site vs. the https://crcfored.com/. If they go to this version there are no issues. Is there a way for me to fix this in Cloudflare or is this another hosting issue?

Here are my DNS settings - could it be something here?

Hi @simone4,

The 1000 error you mentioned generally occurs when the IP address in your DNS records is a Cloudflare IP address. This should not be the case and it should point to your server’s IP.

The 4 AAAA records at the top of your screenshot all point to Cloudflare IPs and should be removed (or replaced with your server’s IPv6 if they are supposed to be).

The A record for www pointing to the 104. IP address should probably point to the same 35. address that your other records point to.

OK I changed the A record for the www and that solved the problem. My hosttold me to leave the AAAA

They told you to leave the AAAA pointing to those addresses?

yes. they did not seem to see those as an issue. those were set up by our previous designer

That’s a bit odd!

[email protected] ~ $ whois 2606:4700:30::681f:5ab2


NetRange:       2606:4700:: - 2606:4700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2606:4700::/32
NetName:        CloudflareNET
NetHandle:      NET6-2606-4700-1
Parent:         NET6-2600 (NET6-2600-1)
NetType:        Direct Allocation
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2011-11-01
Updated:        2017-02-17
Comment:        All Cloudflare abuse reporting can be done via https://www.Cloudflare.com/abuse
Ref:            https://rdap.arin.net/registry/ip/2606:4700::



OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14

[email protected] ~ $ whois 2606:4700:30::681f:5bb2

NetRange:       2606:4700:: - 2606:4700:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           2606:4700::/32
NetName:        CloudflareNET
NetHandle:      NET6-2606-4700-1
Parent:         NET6-2600 (NET6-2600-1)
NetType:        Direct Allocation
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2011-11-01
Updated:        2017-02-17
Comment:        All Cloudflare abuse reporting can be done via https://www.Cloudflare.com/abuse
Ref:            https://rdap.arin.net/registry/ip/2606:4700::



OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14

Those 2 IP addresses both show as Cloudflare’s. This means that a DNS record set in Cloudflare pointing there cannot work. What reason do they give for leaving them there?

1 Like

They did not give one they just said those were not the issue.

Personally, I would think that they could cause issues - for some users at least.

Can you share what the AAAA records are I have never had those set up before - the previous web design team was using Cloudflare and then asked us to set up our own account. We uploaded he DNS files (TXT files) and some info populated but the account also auto detected some things when I set it up. I def did not add these myself.

here is what the TXT file has inside are the AAAA the same as the “SOA” records:

;; SOA Record
crcfored.com. 3600 IN SOA crcfored.com. root.crcfored.com. 2031565125 7200 3600 86400 3600

;; A Records
crcfored.com. 1 IN A 216.59.36.215

;; CNAME Records
www.crcfored.com. 1 IN CNAME crcfored.com.

;; MX Records
crcfored.com. 1 IN MX 50 aspmx3.googlemail.com.
crcfored.com. 1 IN MX 40 aspmx2.googlemail.com.
crcfored.com. 1 IN MX 30 alt2.aspmx.l.google.com.
crcfored.com. 1 IN MX 20 alt1.aspmx.l.google.com.
crcfored.com. 1 IN MX 10 aspmx.l.google.com.

;; TXT Records
crcfored.com. 1 IN TXT “v=spf1 include:crcfored.com ~all”
crcfored.com. 1 IN TXT “google-site-verification=rXWzi_sM71ijTgrBMV6uK6fU8i0Wq2nwAXxbhvk5EZk”

Like your A records that point to your server’s IP address (IPv4), AAAA records are pretty much the same but for IPv6 addresses.

If they were auto-detected, was the domain moved from another Cloudflare account to yours, at all? This is the only way I can think that they would end up there. A domain should never point to these addresses as they are Cloudflare’s addresses. When a domain is proxied through Cloudflare (:orange:), it may resolve to these Cloudflare addresses - this is pretty much the only time they should be seen.

The SOA record is auto-created by Cloudflare and is unrelated to your AAAA records.

1 Like

Yes the previous design team had us in their Cloudflare account and then asked us to get our own. They gave us DNS zone files to upload. So I should delete all of the AAAA records? How do I know if my host has an IPv6 address? We are with Siteground now.

Have you resolved this issue, @simone4?

1 Like

If they haven’t given you one, they probably don’t! You could check with them, but deleting them shouldn’t cause an issue and would be what I would recommend.

1 Like

Yes the SSL is now resolved i believe.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.