Need Help Setting up Strict SSL

bdkalkun · March 19, 2021, 4:26pm

Hi

i know there’s already documentation pages covering on how to set up full strict SSL , it just it seems I cannot get it to work properly …i still getting certificate error

Warning: Potential Security Risk Ahead

this is a screenshot from my panel setting and cloudflare dashboard

on my domain panel, there’s 3 form to fill

certificate(CRT)
Private Key (KEY)
Certificate Authority Bundle (CABUNDLE)

i also read that I need to paste Cloudflare Origin CA root certificates

can someone help me pointing out where should I paste the certificate generated from cloudflare?

thanks

erictung · March 19, 2021, 4:27am

Where did you see this message? Firefox?

bdkalkun · March 19, 2021, 4:34am

yes firefox…haven’t tried with other browser

erictung · March 19, 2021, 4:51am

Did you enable proxy for your website?

If yes, your DNS resolver might still resolving to your server IP address (you should get Cloudflare IP address starting with 104.x.x.x)

Try switch to another DNS resolver like 1.1.1.1 or 8.8.8.8?

bdkalkun · March 19, 2021, 5:56am

i did here’s my configuration

…do you think that the issue (my isp dns resolver)?

but i isnt it about connection between cloudflare to my hosting?
my problem is ssl instalation

erictung · March 19, 2021, 5:58am

Yes.

If you already proxied the subdomain, you shouldn’t see the “Warning: Potential Security Risk Ahead” error in Firefox. The most common cause of this issue is because your ISP DNS resolver still resolving to your server IP address, which leads to your browser seeing the Cloudflare Origin Certificate, which is only trusted by Cloudflare itself, but not user’s browser.

bdkalkun · March 19, 2021, 6:14am

ah ok then…i switch using proxy server

Request 
> GET / HTTP/1.1
> Host: mydomain.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Response 
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 19 Mar 2021 05:59:08 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=dca5f62c49ad7d7; expires=Sun, 18-Apr-21 05:59:08 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
< Location: https://www.mydomain.com/
< X-Turbo-Charged-By: LiteSpeed
< CF-Cache-Status: DYNAMIC
< cf-request-id: 08eaaa00f0000
< Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=45bYLhzYywkGKi4DdkkrhCHlvelY%3D"}],"max_age":604800}
< NEL: {"report_to":"cf-nel","max_age":604800}
< X-Content-Type-Options: nosniff
< Server: cloudflare
< CF-RAY: 63247914bb420256-SJC
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Request 
> GET / HTTP/1.1
> Host: mydomain.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Response 
< HTTP/1.1 525 Origin SSL Handshake Error
< Date: Fri, 19 Mar 2021 05:59:09 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d2df2fe0e340de22; expires=Sun, 18-Apr-21 05:59:08 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
< Cache-Control: no-store, no-cache
< cf-request-id: 08eaaa02a100003aebd213d000000001
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=f3vHjFbu%2FM%2BwO}],"group":"cf-nel","max_age":604800}
< NEL: {"max_age":604800,"report_to":"cf-nel"}
< Strict-Transport-Security: max-age=0; preload
< X-Content-Type-Options: nosniff
< Server: cloudflare
< CF-RAY: 63247-SJC
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

i removed the certificate from my hosting panel earlier , please correct me if step that i did is wrong

from my cloudflare dashboard >>SSL/TLS>>ORIGIN SERVER

i Got

Origin Certificate
Private Key

Where should I paste this certificate on my hosting panel ? it has 3 form

```
certificate(CRT)
```
```
Private Key (KEY)
```
```
Certificate Authority Bundle (CABUNDLE)
```

erictung · March 19, 2021, 6:25am

This should be pretty straightforward. Paste the Origin Certificate into Certificate section, paste Private Key into Private Key section.

Usually this is not required. But if your hosting provider requires it, just combine both origin certificates and root certificates into one. It should be something like this:

-----BEGIN CERTIFICATE-----
PASTE YOUR ORIGIN CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PASTE THE CLOUDFLARE ROOT CERT HERE
-----END CERTIFICATE-----

bdkalkun · March 19, 2021, 6:50am

-----BEGIN CERTIFICATE-----
PASTE YOUR ORIGIN CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PASTE THE CLOUDFLARE ROOT CERT HERE
-----END CERTIFICATE-----

Thank you , what I did ( with empty Certificate Authority Bundle (CABUNDLE)) , activate strict SSL options, purge the cache options on cloudflare dashboard

still got but its normal since the certificate just installed just now
HTTP/1.1 525 Origin SSL Handshake Error

now i’ll wait for hour or more just to be sure

thank you eric for you help, I’ll update the result later

erictung · March 19, 2021, 8:05am

Can you try the following solutions: