Please share your search results url:
This seems kinda related:
When you tested your domain, what were the results?
Access via the browser is secured, Outlook causes problems
Describe the issue you are having:
Yesterday everything went smoothly, this morning I wanted to check my mail in Outlook and was told that the Cloudflare Origin CA is not trusted
What error message or number are you receiving?
A certificate chain was processed but ended with a root certificate that is not trusted by the provider
What steps have you taken to resolve the issue?
Reassigned the certificate
Created a new LetsEncrypt certificate to handle the mail services.
Checked the validity date of the Cloudflare certificate
Was the site working with SSL prior to adding it to Cloudflare?
Everything worked until this morning, no changes were made, the error came out of nowhere
What are the steps to reproduce the error:
Open Outlook
Wait until Outlook tries to retrieve the mails from the server
Have you tried from another browser and/or incognito mode?
This is not a browser problem Please attach a screenshot of the error:
I have attached a few screenshots showing my configuration.
For the mail services etc. the “R3” certificate is used, so LetsEncrypt.
The error still occurs though, I’m just wondering how this can happen so apruptly as there was no problem at all yesterday and definitely none of the certificates have expired, no configurations have changed in Cloudflare or on the mail server either.
I would understand the current behavior if any configuration or similar had changed, but that the Cloudflare Cert is simply classified as untrusted from one day to the next, I find strange, especially since on our part definitely no changes were made to the configuration, neither on the server nor in Cloudflare.
I have just removed the Origin certificate from the server and switched everything to the R3 certificate.
I can report that everything is now working as expected!
Since you mentioned this earlier, do you maybe know a way to automate this process, since I dont really want the certificate to be dependent on a person that changes it after it expires.
I know LetsEncrypt has a renew feature but how can i make this work with cloudflare, since I currently need to pause cloudflare on my site, everytime i re-issue the cert
The ACME HTTP-01 challenge works by providing a file that you need to make available under http://example.com/.well-known/acme-challenge/<filename>.
LetsEncrypt will then try to download the file. If they find it, that serves as proof that you control that particular (sub)domain and they will issue you a certificate for it.
Cloudflare interferes in that process in many different ways, and you have to basically disable all Cloudflare features for that path. You can do this with a Configuration Rule. I haven’t tried it personally as I use the DNS challenge (certbot with certbot-dns-cloudflare plugin), but that only really works if you have root access to the system or they provide an API to update the certificate.
The Configuration Rule should probably look like this:
Custom filter expression
URI Path starts with /.well-known/acme-challenge/
Then settings are…
Automatic HTTPS Rewrites off
Browser Integrity Check off
Security Level Essentially Off
SSL off
If you use Caching, you also need to make sure that this path is excluded.
That should probably be enough, though I could give it a try tomorrow. But you should then be able to use the built-in LetsEncrypt auto-renewal of your panel.
