SSL Certificate Query

Hi,

I’ve set up 2 websites with the same SSL configuration on Cloudflare:

  • Full (Strict)
  • Edge Certificate (Universal)
  • Always Use HTTPS (Enabled)
  • Minimum TLS Version (TLS 1.0 Default)
  • Opportunistic Encryption (Enabled)
  • TLS 1.3 (Enabled)
  • Automatic HTTP Rewrites (Enabled)

Both websites have:

  • Wordpress 5.3.9
  • SSL certificate by Lets Encrypt (provided free by Web Host)

The only difference I can see is both certificate chains are different.

WebSiteOne.com > E1 > ISRG X2 > ISRG X1
WebSiteTwo.com > R3 > ISRG X1

WebSiteOne.com is showing the original certificate by Let’s Encrypt while WebSiteTwo.com is showing the certificate by Cloudflare (sni.cloudflaressl.com).

I’ve “curl -vI” and both are showing Server as Cloudflare. SSLShopper is also showing both as Server Type Cloudflare.

Both web sites are working fine via https so its not like anything is broken. But I can’t figure out why both websites are showing different certificates even though both are going through Cloudflare.

Any advice would be most appreciated.

Thanks.

Cloudflare uses 3 different CA’s (DigiCert, Comodo or Let’s Encrypt) to back their intermediary certificate for Universal SSL - there’s no guarantee which one it uses or which other SANs appear on your certificate.

If you’d like more control, you’d need to purchase Advanced Certificate Manager - but if it’s not causing any issues, I wouldn’t bother.

Wouldn’t both websites be showing a certificate from Cloudflare since both are Universal type?

WebSiteOne.com is showing the original cert I generated with the web host as its only valid for 3 months. So presumably, that would mean I have disabled Universal SSL. But I didn’t.

While WebSiteTwo.com, which is showing sni.cloudflare.com as the certificate, is valid for 1 year. Which I assume means its using Cloudflare’s Universal SSL.

I’m not looking for more control, just trying to understand how SSL works in Cloudflare.

Thanks.

Without knowing the actual addresses, I wouldn’t be able to give you an answer.

Visit the website that’s showing the ‘original cert’ that you generated & see if it’s actually going through Cloudflare - i.e a Server: cloudflare response header or just dig the website & see if the returned addresses are in https://www.cloudflare.com/ips/

For website showing original cert … curl returns “server: Cloudflare” and dig returns 104.21.86.127 and 172.67.220.45, both Cloudflare addresses.

For website showing Cloudflare’s cert … curl returns “server: Cloudflare” and dig returns 104.21.13.137 and 172.67.200.84, both Cloudflare addresses.

I’ve also tested both on SSL Shopper and both return “Server Type: Cloudflare”.

As long as you see the certificate in https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates then it’ll be managed by Cloudflare.

The only scenarios where the origin certificate would be presented is when Universal SSL (might actually just give an insecure error on it’s own) or SSL Mode is set to Off.

Yes, in Cloudflare’s dashboard under Edge Certificates, both are showing Edge certificates as Universal, Active and ECDSA SHA256 Managed by Cloudflare.

Only difference is on the dashboard is the Certificate Authority …

Web site showing original cert (3 lines):
Certificate Validity Period 3 months
Certificate validation method TXT
Certificate Authority Let’s Encrypt

Website showing Cloudflare’s cert (only 2 lines):
Certificate Validity Period 1 year
Certificate validation method TXT

Thanks.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.