Need Help Setting up Strict SSL

Security
#1

Hi

i know there’s already documentation pages covering on how to set up full strict SSL , it just it seems I cannot get it to work properly …i still getting certificate error

Warning: Potential Security Risk Ahead

this is a screenshot from my panel setting and cloudflare dashboard

origin
origin1360×1793 271 KB

on my domain panel, there’s 3 form to fill

  • certificate(CRT)
  • Private Key (KEY)
  • Certificate Authority Bundle (CABUNDLE)

i also read that I need to paste Cloudflare Origin CA root certificates

can someone help me pointing out where should I paste the certificate generated from cloudflare?

thanks

#2

Where did you see this message? Firefox?

#3

yes firefox…haven’t tried with other browser

#4

Did you enable proxy for your website?

If yes, your DNS resolver might still resolving to your server IP address (you should get Cloudflare IP address starting with 104.x.x.x)

Try switch to another DNS resolver like 1.1.1.1 or 8.8.8.8?

#5

i did here’s my configuration

dns
dns1020×551 131 KB

…do you think that the issue (my isp dns resolver)?

but i isnt it about connection between cloudflare to my hosting?
my problem is ssl instalation

#6

Yes.

If you already proxied the subdomain, you shouldn’t see the “Warning: Potential Security Risk Ahead” error in Firefox. The most common cause of this issue is because your ISP DNS resolver still resolving to your server IP address, which leads to your browser seeing the Cloudflare Origin Certificate, which is only trusted by Cloudflare itself, but not user’s browser.

#7

ah ok then…i switch using proxy server

Request 
> GET / HTTP/1.1
> Host: mydomain.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Response 
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 19 Mar 2021 05:59:08 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=dca5f62c49ad7d7; expires=Sun, 18-Apr-21 05:59:08 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
< Location: https://www.mydomain.com/
< X-Turbo-Charged-By: LiteSpeed
< CF-Cache-Status: DYNAMIC
< cf-request-id: 08eaaa00f0000
< Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=45bYLhzYywkGKi4DdkkrhCHlvelY%3D"}],"max_age":604800}
< NEL: {"report_to":"cf-nel","max_age":604800}
< X-Content-Type-Options: nosniff
< Server: cloudflare
< CF-RAY: 63247914bb420256-SJC
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Request 
> GET / HTTP/1.1
> Host: mydomain.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Response 
< HTTP/1.1 525 Origin SSL Handshake Error
< Date: Fri, 19 Mar 2021 05:59:09 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d2df2fe0e340de22; expires=Sun, 18-Apr-21 05:59:08 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
< Cache-Control: no-store, no-cache
< cf-request-id: 08eaaa02a100003aebd213d000000001
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=f3vHjFbu%2FM%2BwO}],"group":"cf-nel","max_age":604800}
< NEL: {"max_age":604800,"report_to":"cf-nel"}
< Strict-Transport-Security: max-age=0; preload
< X-Content-Type-Options: nosniff
< Server: cloudflare
< CF-RAY: 63247-SJC
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

i removed the certificate from my hosting panel earlier , please correct me if step that i did is wrong

from my cloudflare dashboard >>SSL/TLS>>ORIGIN SERVER

i Got

  • Origin Certificate

  • Private Key

Where should I paste this certificate on my hosting panel ? it has 3 form

  • certificate(CRT)

  • Private Key (KEY)

  • Certificate Authority Bundle (CABUNDLE)
#8

This should be pretty straightforward. Paste the Origin Certificate into Certificate section, paste Private Key into Private Key section.

Usually this is not required. But if your hosting provider requires it, just combine both origin certificates and root certificates into one. It should be something like this:

-----BEGIN CERTIFICATE-----
PASTE YOUR ORIGIN CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PASTE THE CLOUDFLARE ROOT CERT HERE
-----END CERTIFICATE-----

#9

-----BEGIN CERTIFICATE-----
PASTE YOUR ORIGIN CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
PASTE THE CLOUDFLARE ROOT CERT HERE
-----END CERTIFICATE-----

Thank you , what I did ( with empty Certificate Authority Bundle (CABUNDLE)) , activate strict SSL options, purge the cache options on cloudflare dashboard

still got but its normal since the certificate just installed just now
HTTP/1.1 525 Origin SSL Handshake Error

now i’ll wait for hour or more just to be sure

thank you eric for you help, I’ll update the result later

#10

Can you try the following solutions:

1 Like
#11

This topic was automatically closed after 29 days. New replies are no longer allowed.