SSL certificates at ISP and CloudFlare for https domain: mail issue


#1

My ISP (Panthur) recently promoted the security benefits of SSL certificates, and I duly purchased their RapidSSL certificate, which they ultimately installed. The result was users of the associated mail domain complaining of (1) in the case of an iPhone user, an untrusted certificate, and (2) in the case of an Outlook user, a certificate that could not be verified because the target principal name was wrong. Panthur advised me to ensure that said users were using the correct in/out server names; I did and they were. They then recommended disabling Universal SSL at CloudFlare, which I did; the result was that the domain website became inaccessible to all. On the advice of Panthur, I also tried experimenting with moving from ‘Flexible SSL’ to either ‘Full (strict) SSL’ or ‘Full SSL’; the website only came good when I returned to ‘Flexible SSL’ and re-enabled the Universal SSL, but the mail problem remains. Panthur now insist that their certificate is correctly installed, and that I should take up the problem with CloudFlare. I note that CloudFlare say:

“Disabling Universal SSL removes any currently active Universal SSL certificates for your zone from the edge and prevents any future Universal SSL certificates from being ordered. If there are no dedicated certificates or custom certificates uploaded for the domain, visitors will be unable to access the domain over HTTPS.”

Since my domain is accessed via https (i.e. the page rule ‘Always use HTTPS’ is in effect), that quote seems to pinpoint why disabling Universal SSL took the website down. I am beginning to suspect that I cannot use the RapidSSL certificate that I purchased from Panthur, and should instead have purchased a dedicated SSL ‘edge certificate’ from CloudFlare. Panthur clearly disagree. Please advise me on what I should do. There is a possibility that I was fooled by the length of time that it takes for changes to the CloudFlare settings to take effect into incorrectly believing that only the combination of ‘Universal SSL enabled’ and ‘Flexible SSL’ restored the website. But I don’t seem close to solving the mail issue.


#2

Installing a certificate on your mail/web origin shouldn’t have mattered, since no SSL configuration really changed on the browser-facing side.

Can you check if the SSL certificate they issued contains a “Subject Alternate Name” that matches your mail hostname? Chances are they forgot to include the mail SAN which meant the SSL would warn anyone trying to access the mismatched domain certificate.

Also, if you’re comfortable in doing so, it would help us debug if you posted the domain name.


#3

Hi Judge,
Thanks very much for your input. I have asked Panthur to check on the
mail SAN, because I find I cannot currently log into the site cPanel;
Firefox thinks I have an insecure connection, due to an improperly
configured website. I have reported this to Panthur.

Re revealing the domain name, I’m new to the Cloudflare community; is
this normal practice? I would be happier if I could avoid revealing the
name to the whole community.

Chris


#4

That was bad advice from their side as that basically disabled SSL altogether.

If you use Flexible you dont need a certificate at all on your server as Cloudflare will connect via HTTP to your server. You definitely do not want that.

Can you elaborate on that problem? From what I understood so far it is exclusively an SSL issue.

From what you explained so far I’d have my doubts about that statement but in order to verify that you would need to post your domain and - if you feel comfortable revealing it here (you can delete it afterwards) - your server’s IP address.


#5

Hi Sandro,

Many thanks for your comments. I’m getting nowhere with Panthur’s
people, so would be grateful if you could have a look at royalsoc.org.au

I described the mail issue in the first para. of my first post: an
iPhone user got an untrusted certificate, and (2) an Outlook user got a
certificate that could not be verified because the target principal name
was wrong. The Outlook user is able to carry on, but insecurely, while
the iPhone user is temporarily using a different email address.

Chris


#6

Your site’s configuration generally looks fine and it does load via HTTPS. Now whether your server configuration is okay and if Cloudflare actually connects via HTTPS to your server (which is the only secure implementation) is a different story, but I’d need your server IP for that.

I did read your description but I am afraid it didnt make much sense. If you are talking about actual mail clients, it is not a Cloudflare issue as Cloudflare doesnt do anything with mail. The only thing you should make sure is that any mail related hosts are not proxied (should be :grey: instead of :orange:). Otherwise if we are talking about anything web related it is not about email :slight_smile:


#7

Hi Sandro,

Which server IP do you mean? Clearly not that which you can find by
nslookup on the domain name I already supplied.

Chris