SSL Downtime to Get Started


#1

I pointed my SSL domain to CF’s name servers this morning and soon noticed the site was down with an SSL issue. I then noticed my SSL setting in CF was showing “Authorizing Certificate” and read that this means my site would be down for 24 hours until CF approves my SSL cert. I tried changing the SSL setting to “Flexible” but that didn’t solve the problem. I also tried turning off the orange cloud for my DNS A record in order to bypass traffic around CF, but I continued to see the same SSL connection problem to my website. Finally, I had to point my domain away from CF’s names servers to stop the bleeding.

Are all SSL websites using CF’s free level expected to live with 24 hours of downtime in order to use CF? Is there any way to keep my website up while the SSL cert is being authorized? I was really looking forward to using CF, but 24 hours of downtime would be a terrible price to pay.


#2

Until an SSL certificate is issued Cloudflare can’t proxy SSL traffic. So it is generally a best practice to gray cloud a/al lrecord(s) until the SSL certificate is issued. Moving a record to gray cloud should have stopped the SSL error as we would no longer be proxying and the traffic would be direct to origin. It may be that browser cache or local machien DNS caching was causing you to continue to see the error once the record was gray clouded.


#3

Thank you for your response @cscharff! I think my problem was that I only gray-clouded the DNS A record. There was a “www” CNAME record that pointed to the bare domain which was still orange-cloud, so that’s probably why the problem continued. I will gray-cloud all of my DNS records and try again.

Meanwhile, this episode brings these questions to mind:

  1. Will there be another 24 hour cert approval period when I renew or replace my current SSL cert?

  2. If the IP address of my server changes (but keeps the same SSL cert) will that trigger another 24 hour cert approval period?

  3. Are there any other situations that would trigger a 24 hour cert approval period for a domain that is already on CF?


#4

For a Cloudflare ordered/managed cert we typically issue a renewal request ~= 30 days prior to expiration. So there should not be a gap.

No you can change these freely. We don’t tie certificates to IPs and Cloudflare masks the true origin IP address anyway.

In general? No. In practice, CAs change their fraud detection algorithms and issuance standards on occasion which could cause a host name to be flagged when it wasn’t previously. And we do tens of thousands of certificate renewals a day, it’s possible that a certificate reissuance could go pear shaped, but that is pretty rare… and an area we continue to improve tooling and processes around.


#5

Thank you again! I will likely switch to a CF managed cert to help minimize any possible future issues.