Some browsers appear to bypass CloudFlare causing SSL issues

My website is hosted on AWS Lightsail (Bitnami) and uses CloudFlare.

I’ve set up Full SSL support, which appears to work on Safari, however when I’m in a private mode of Chrome, or on Firefox I get errors;

Firefox:

Peer’s Certificate issuer is not recognised.

Chrome:

“CloudFlare Origin Certificate” certificate is not trusted

When digging into this error it seems like the browser is talking to my server directly, and seeing the CloudFlare Origin cert I’ve installed there.

Both www and @ have A records pointing to my server, both are marked as being proxied by CloudFlare.

Can anyone suggest a way forward?

That should better be Full Strict.

Yep, that should be the case here. Your DNS configuation looks all right, so it should not be your domain setup but rather a local DNS issue.

Did you already reboot your router to reset its DNS service? Do you have any particular DoH configuration in private mode? IIRC there were issues when browsers switched in private mode to DoH and then resolved a different address.

I understood you are running macOS. If so, can you run these commands and post their output here?

dig thefootytipster.com
dig thefootytipster.com @1.1.1.1
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=thefootytipster.com'
1 Like

Thanks, I’ve updated to Full Strict.

Nothing special set up on my router or local config, and it has been restarted.

dig thefootytipster.com output:

; <<>> DiG 9.10.6 <<>> thefootytipster.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48023
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thefootytipster.com.		IN	A

;; ANSWER SECTION:
thefootytipster.com.	300	IN	A	104.21.75.249
thefootytipster.com.	300	IN	A	172.67.184.16

;; Query time: 26 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Aug 19 16:43:18 BST 2021
;; MSG SIZE  rcvd: 80

dig thefootytipster.com @1.1.1.1 output:

; <<>> DiG 9.10.6 <<>> thefootytipster.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45923
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;thefootytipster.com.		IN	A

;; ANSWER SECTION:
thefootytipster.com.	300	IN	A	172.67.184.16
thefootytipster.com.	300	IN	A	104.21.75.249

;; Query time: 78 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Aug 19 16:43:49 BST 2021
;; MSG SIZE  rcvd: 80

curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=thefootytipster.com' output;

{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"thefootytipster.com","type":1}],"Answer":[{"name":"thefootytipster.com","type":1,"TTL":300,"data":"104.21.75.249"},{"name":"thefootytipster.com","type":1,"TTL":300,"data":"172.67.184.16"}]}%

Thanks so much for your help

They all resolve to the proxies. That would suggest your browser is using some cached DNS entry or some other DoH service which still returns your actual server IP address.

I’d try debugging the browser profile in that case and maybe even try a new one.

Thank you, that is a relief that it is likely just me!

No worries. And yes, it will be a local issue, globally it resolves to the proxies

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.