Unable to disable SSL Automatic mode with the result that Cloudflare overrides our SSL Certificate choice
What steps have you taken to resolve the issue?
I clicked the Configure button on the SSL Overview page, Selected the Custom option there, and then changed the SSL option to the one we originally selected via the API when the domain was added to Cloudflare. This domain acts purely as a redirect to another domain and is currently set to use a Flexible SSL Certificate.
Was the site working with SSL prior to adding it to Cloudflare?
No
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
Create a domain via the API and attempt to set ssl_automatic_mode to custom.
My guess is that when the Nameserver issue gets resolve, Cloudflare is not only going to enable the ability to set ssl_automatic_mode, but at that time are going to default it to “automatic” (which will break things).
If you are just redirecting the SSL/TLS mode doesn’t matter since a request is not made to your origin. But to be safe, or if you use it, use only “Full (strict)” or “Strict”, other modes are not secure so don’t let automatic set it for you. You will need to ensure your origin has a valid SSL certificate and working SSL configuration.
A request is being made from Cloudflare to our origin server (where Apache does the redirect) so it does matter what sort of SSL configuration cloudflare use for the domain.
We do not want to use Full or Full Strict and want to use Flexible in this instance. However it is irrelevant want we want, the important thing is the Cloudflare’s automatic mode overrides our choice.
If the attempt to set ssl_automatic_mode to custom when the domain was first added to Cloudflare did not generate the 1012 error, there would be no problem.
Anything but “Full (strict)” or “Strict” is insecure between Cloudflare and the origin. If you are only redirecting it’s better to just do it on Cloudflare instead.
As for the error, is it showing in the bottom of the dashboard in a red bar? If so try refreshing the dashboard page, or log out of the dashboard and flush the browser cache as it may be some back end code has been updated and out of sync.
Or is it a 1012 error page?
Otherwise, if you know the mode you want, just set that. The automatic mode will try to work out which mode works best but that may not be the mode you want.
We are aware of the fact that Flexible SSL is deprecated. At present we prefer to set the redirects on our server as that gives complete flexibility using mod_rewrite in Apache.
Please note that the error is from the API.
We create all domains in our Cloudflare account using the API only and immediately set a number of options via the API (including attempting to set the ssl_automatic_mode setting to custom). It is the API which responds with the 1012 error code.
Our API code does not currently log the raw API request/response, just the fact that the error occured. We will need to add additional logging to the code and report the results when available.
For your information, this error has occurred today for the domains 1irongolf.co.uk and hayleysfunerals4u.com. Looking at each of these domains in our cloudflare account, they both currently have a status of “Invalid Nameservers” (and the Overview page shows details of what the NS records for the domain need to be changed to), and the SSL/TLS page does not show the option to toggle ssl automatic mode to off, but does show the old SSL/TLS recommender option (which is currently show as set to off
Of the domains that were added to our Cloudflare account yesterday
damriskassessments.co.uk shows as active, but the SSL/TLS page was showing that Automatic SSL/TLS was enabled, and does not show the old Recommender setting
cals.uk.net shows as invalid nameserver and the SSL/TLS page makes no mention of Automatic mode but does show the old Recommender setting (which shows as off)
samolgarhair.co.uk shows as active and the SSL/TLS page shows that Automatic mode is enabled
samolgarhair.com shows as active and the SSL/TLS pages shows the Automatic mode is enabled
hairdresseryork.co.uk shows as active with the SSL/TLS page showing Automatic mode is enabled
vendrite.co.uk shows as invalid nameservers, the SSL/TLS page makes not mention of Automatic mode, but does show the SSL/TLS Recommender
I have now manually turned off automatic mode for those domains via the control panel.
I assume you mean “the domain has to be active before you can disable automatic mode”.
That is unfortunate if true. Can Cloudflare send out any kind of webhook notification once a website is live. If so we could use that to trigger an api call to turn automatic mode off at that point. Otherwise we would have to constantly use the api to poll the domain to discover when it becomes active and only then turn off automatic mode.
I based my assumption on what you posted. There are often good security reasons why a number of Cloudflare things don’t happen until the domain has gone active, which requires the correct nameservers to be set to ensure the person adding the domain has control of it.
Without doing all the API stuff myself which I don’t have time for, or any output from the API from your end, the reasons are just an educated guess. fwiw, adding a domain to Cloudflare and then looking at the SSL/TLS options in the dashboard doesn’t show the automatic option either, so there’s obviously a reason why the domain must first become active to use automatic setting, probably to prevent requests to the origin from Cloudflare until active.
With regards to your suggestion that the ability to set ssl_automatic_mode to custom until the domain is active, assume that is something you are speculating on, but don’t have a definitive answer to.
We do and always have set the ssl mode that we want to use as part of the api sequence used when creating a domain, but it was only when Cloudflare switched from using the SSL Recommender to using SSL Automatic mode by default, that we added the extra API call to turn ssl_automatic mode off when adding the domain.
In those cases where the api call to turn ssl automatic mode off fails cloudflare would sometimes (but not always) override our ssl choice and change it to full ssl, and we would then have to log in to the control panel and manually switch it back to what we originally set via the api when the domain was originally added to Cloudflare.
Anyway, we will be adding some extra logging to our code to track for every api call what the raw request and response were so that it we revisit the issue we will have more information to present.
