SSL configuration big problem

Ok guys, you know it,
Can you give us the good advice … the goal is to debug our situation , thanks

1 Like

See my reply from just now.

1 Like

Also, you do have a certificate on your server, but it is not valid for your domain. So “Full” will work but not “Full strict”.

You might want to install a valid certificate, regardless of whether you want to proxy or not.

Considering you purchased a dedicated certificate you probably do want to proxy. So you will need to change the applicable web related records from :grey: to :orange:.

Also, switch from “Flexible” (screenshot) to “Full” or better “Full strict”. For the latter you will need that valid certificate though.


strict … but even if we want some subdirectories to stay in non encrypted ? (does “no-ssl” page rules will apply for those sub-dirs ?) (newbie question, sorry)

Is there a reason why you would want certain paths to be reachable by HTTP-only?

There are some old scripts doing “cron syncs tasks” we dont want to repoen in the next days, so yes, in the hurry if it is possible to keep it live some 8 or 10 more days …

(Thanks for your attention) - Can you tell me what do I have to do in the DNS config ? I thought I was already on proxy no ?

Aouch - i understand - do i have to delete the first “A record” ?

How are cron tasks related to HTTP? Please dont tell me you send network requests to run some local code :slight_smile:

Anyhow, if you really really really really must you can set certain paths to “Flexible” via a page rule, but I’d keep “Full strict” as default (dont forget the certificate!).

1 Like

No, the record looks fine that way and should proxy now.

1 Like


(strange, the Cloudflare remark that says

“An A, AAAA, CNAME, or MX record is pointed to your origin server exposing your origin IP address.”

Please see this community tutorial.

Looks to me like if could be your FTP A record which is correctly set to :grey:.

1 Like

ok I switch Ftp and mail to “orange / proxy” …

You cant do that, assuming you use that host for FTP, as your FTP connection would break otherwise.

1 Like

As @sandro and the linked tutorial said, you can’t proxy non HTTP services. For services like FTP, mail etc. the clouds should be set to :grey:, this can have the side effect of exposing your origin IP but there is nothing you can do about it is you use these setvices on these subdomains.

We recreate the lets encrypt local certificate on the server but a

look on the domain via IE still shows a certificate error …

ok, thanks we switch back to “grey”

1 Like

There really is little point in censoring the domain at this point :slight_smile:

You issued the certificate only for your naked domain and not the www host. You need to include the latter when you have the certificate issued.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.