Hi there. I set up a free Cloudflare cert for a really old barely used website that’s about to get revamped at hvpower dot net. If I’m honest I’m more than a little out of my depth here trying to do a favour for my brother.
One browser ‘Brave’ loads a blank page but says the site is secure. Firefox defaults to http after clearing its cache. If I force it to https I get various error messages including cert not valid, elements in the page aren’t secure, or same as Brave, a blank page that’s secure.
I ran the diags and it says there’s various errors with the DNS records. DNSSEC isn’t on and ‘the hostname has no DS records’. The MX record throws an error I assume because email is taken care of by the web hosting service.
The SSL Checker at sslshopper gives the site all green ticks but strangely says the cert is issued by Let’s Encrypt.
I’m hoping that maybe somebody out there know what rookie errors I’m making because I’ve spent a few hours trying to figure it out and get my head around stuff I never heard of and I’m still non the wiser about how to get things working.
Your site is redirecting to HTTPS, and then loading a frameset that tries to load two other sites insecurely over regular HTTP, which is going to cause security errors. If the browser actually tries to load it anyway, the first of those two URLs then returns a 404 Not Found error.
Basically, nothing about it is right and you probably need to take a step back and start over from the beginning and get the site working before you try to put Cloudflare in front of it. Disable Cloudflare and make the site work without it, and once it’s working with HTTPS without Cloudflare, you can enable Cloudflare and it should Just Work.
Hello there, thanks for taking the time to be helpful.
Thing is that the site is old and ugly and built with skills from the 1990s but it was up and running for over 10 years before the Cloudflare cert went up.
There’s also a ‘sister’ site to it built in pretty much the same crappy way and that is up and running fine with a Cloudflare cert that’s issued by Cloudflare.
I really don’t know where the frameset might be coming from or what other sites it might be trying to load? There is no or tag anywhere in the HTML if that’s what you mean by that.
Search “http:\” (0 hits in 0 files of 43 searched)
Search “frame” (0 hits in 0 files of 43 searched)
Search “frameset” (0 hits in 0 files of 43 searched)
Do you have the URLs that it’s trying to call? The contact page has an embedded Google map and a mailto php script so I disabled that page in case it’s the site calling that that’s the problem. There’s also a subdomain set up on that domain but disabling it doesn’t seem to have done anything and I’d imagined it would be secured by the same certificate in any case. I’m kind of grasping at straws with that possibly.
The site is currently getting remade but I’d like to figure out exactly what’s going on here for the sake of the knowledge and for future reference. Any additional pointers would be very welcome. The hosting package is ‘Shared Linux NG Migrated’ if that makes any difference to anything.
Just to add, when I check SSL Checker the security certificate on the domain from ‘Let’s Encrypt’ apparently has nothing to do with Cloudflare but the ‘sister’ site that is working is Cloudflare all the way down. Not sure what’s going on there. Thanks.
The SSL is fine. That’s not the issue, at least not yet.
When I load the site, this is the HTML that is returned:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html lang="en">
<head>
<title>hvpower.net is currently registered.</title>
</head>
<frameset rows="45, *">
<frame src="http://www.blacknight.ie/holding_page.php" scrolling="no" noresize="noresize" frameborder="0">
<frame src="http://www.sedoparking.com/search/registrar.php?registrar=blacknightregpark&domain=hvpower.net" frameborder="0">
<noframes>
<body>
<p>This site uses frames. If your browser does not support frames then click below to visit our website:<br>
<a href="http://www.sedoparking.com/search/registrar.php?registrar=blacknightregpark&domain=hvpower.net">hvpower.net</a></p>
</body>
</noframes>
</frameset>
</html>
It’s trying to load two sites in frames, both over insecure HTTP. That’s going to cause errors. And, if the browser ignores that error, the first site it’s trying to load returns a 404 error.
You are not even ready to be enabling Cloudflare on this site. This site is not working. What you need to do is make the site work, over HTTPS, and then you can enable Cloudflare on it.
Thankyou. That’s really not my index page and nothing in my HTML is calling it, I don’t know where it’s coming from or why other than that Blacknight are hosts for the site. It’s apparently a holding page for the domain saying the domain is registered. I’m kind of baffled. Do you think it’s possible that perhaps Blacknight have some kind of configuration error that showed up when I switched from their nameservers? Thanks.
The site is using Cloudflare. If you think nothing in your HTML is calling that, then you have bigger problems.
When I go you your site, that is the HTML that is being delivered. That is what the origin server is sending. That’s your problem. There is nothing wrong with your Cloudflare configuration. The problem is with the site. You need to completely disable Cloudflare and make the site work. Once the site works over HTTPS, you can flip the switch on Cloudflare and it will work.
Thankyou. I did as you suggested and disabled Cloudflare and have switched back to the original nameservers. The site is working now over HTTP, at least in the UK. If you go to the site now entirely different HTML, the HTML I put there, is what’s being delivered. Do you know why my switching it to Cloudflare would cause that ‘foreign’ HTML page to be sent by the origin server? Thanks.
So, now your site is returning the same thing, but not through Cloudflare. If I load it over HTTP (insecure) it loads. Over HTTPS it returns the same thing as before but with the same errors.
Now it’s a self-signed certificate from Russia. There are sanctions in place for Russia, obviously, and one of the CAs that Cloudflare uses has Russia sanctioned. That wasn’t the problem before and it’s not the problem now but you should be aware of it.
Beyond that, your origin server is not working properly. You have disabled Cloudflare and it’s still not working. What you need to do is make the site work, over HTTPS, and then you can enable Cloudflare in front of it. Until then, there is not a lot anyone here can do for you, because the site just isn’t working.
Thanks again. Nobody connected with that website has at any point ever put any ssl cert up until a few days ago. The fact it’s from Russia is kind of ringing alarm bells. I could do with that certificate being revoked I guess.
That aside I’m kind of confused though by what you say. I didn’t think HTTPS could work until there is a certificate on the site.
Your certificate being from Russia is not the technical problem and never was, but if you are in Russia you have a whole celebration of problems to deal with.
The site is not working, even excluding Cloudflare. You need to get with the hosting provider and make the site work, before you think about putting Cloudflare in front of it. When you put Cloudflare in front of a site it needs to already work.
There are sanctions in place for Russia, for very good reasons, and that could make things more difficult. But for reasons I continue to fail to understand, Cloudflare still provides service to Russia.
But, if we get beyond that, your site is broken. The brokenness has nothing to do with Cloudflare. The hosting is broken. You need to make the site work without Cloudflare before you put Cloudflare in front of it.
Thankyou. I’m in the UK, the hosting is in Ireland, nobody connected to the site set up that Russian certificate. I have no idea why it’s being presented. Seems kind of weird. I really don’t know why some unknown third party would set up a ssl cert for that domain. Seems a bit nefarious, but I don’t know what purpose somebody might do that for.
I’ve asked the hosting company to take a look and see if they can figure out what’s going on. Thanks for all your help putting me on the right track. I’ll reply back with what the hosting company have to say.
Okay good, you’re not in Russia, so I apologize for being abrupt. Seriously, I now feel like a jerk.
But there is something with the hosting of your site that is wrong. You said you were taking this over from someone and I totally understand, I am actually in the midst of that exact project as well, taking over something that no one can completely explain to me.
It’s possible that you have to just take control and not care about what already exists. Just take control of the domain and start over from scratch. There is a point when you say, as a consultant, that you’re not being paid enough for this and maybe you need to just make an executive decision. Maybe whatever is already there is going to be burned. There’s a point where continuity just isn’t worth it.
No apologies needed, it’s totally understandable and in any case you’ve been giving me great help.
the hosting company said:
"The problem can be solved by consolidating HTTP and HTTPS.
Login to your Account.
Click "Websites" (on the menu).
Click into the domain name.
Click "Website Configuration".
Click "Edit".
Tick "Consolidated HTTP/HTTPS Folder".
Click "Submit". "
So I’ve done that, they said wait five minutes for the change to kick in. So I waited and the problem now is this cert from Russia being associated with the domain. Firefox blocks the site because the cert is self issued and if I force it to go ahead anyway then the HTTPS padlock has an exclamation mark and it still says
I don’t understand how this cert can be associated with the domain when the nameservers are the ones belonging to the hosting company unless something dodgy is going on there. Do you think that perhaps the host has been hacked?
So… do you have control over this domain? Do you have access to the domain registration at Verisign?
If so, just take it over. If you can do that, Bob’s your uncle. Just transfer the registration and change the nameservers and you can start from scratch. Find new hosting and make a new website.
Thanks. I wish I could but unfortunately that’s not really an option, the hosting is already paid up for years to come by the company I’m doing the work for so I’m kind of stuck with the hosting company.
Am I right in thinking that these symptoms mean that the hosting company nameservers have been compromised, I mean am I right thinking that the Russian certificate must be being called from the hosts nameservers and that the hosting company have a problem?
I wouldn’t waste too much time focused on the sef-signed certificate containing Russia in the country field. It’s a self-signed cert and can contain any country in that field. The data usually comes from a template. I have older certificates issued by my internal CA that used the neighboring large city rather than my own because that is what I had in my initial templates.
The domain odin.com present in the certificate is related to Ingram Micro’s Odin platform for managing hosted services. Just replace the certificate with one from a public CA or the Cloudflare Origin CA and you can move on.
It is also worth noting that you can pause Cloudflare without changing nameservers at your registrar.
Thanks for that, the index.php the hosts had up was what was injecting the frameset and yes their Odin was what was auto-generating the self-cert on their server and the errors in browsers. Should’ve set Cloudflare to flexible SSL apparently. I suppose if I’d paused Cloudflare I wouldn’t have to wait to find out! Thanks for the tip.
