SSL Error Messages - Cloudflare or ISP?


#1

Starting on May 30, those of us accessing mail on caemail.crfg.org started getting warning messages about an invalid SSL certificate. I currently have a wildcard certificate from Comodo that is schedules to expire late in June so I was puzzled why the message about a new certificate starting on May 30 2018 and expiring on May 31 2019. I contacted my ISP support (InMotion Hosting) and was told that the certificate for that email server was issued by Cloudflare. Did I not set up my free Cloudflare account properly or ? How do I make Cloudflare recognize my wildcard certificate and not issue one of its own?

I have screen shots of a couple of warning messages but am not sure how to attach them or if such is even allowed,


#2

SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
Server certificate:
subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni56337.cloudflaressl.com
start date: 2018-05-29 00:00:00 GMT
expire date: 2018-12-05 23:59:59 GMT
subjectAltName: caemail.crfg.org matched
issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
SSL certificate verify ok.

Looks good to me. Accessing this URL with a browser shows a default server page which has mixed content.
Nothing to worry about.

Just drag and drop a file into the “reply” field. :slight_smile:


#3

Are we talking about a TLS web interface to an email server or actual email related protocols (not HTTP)?


#4


#5

The first screenshot is neither mail nor web, but FTP. The other screenshots seem to refer to SMTP.

You need to clarify this with your host, Cloudflare is not involved here.


#6

That middle screenshot of the mail client looks odd. It says it’s connecting to mail.crfg.org, but the certificate says caemail.crfg.org

That would certainly be invalid, as it doesn’t match the hostname you’re using to connect.


#7

Good point and spot on, it does seem as if a host mismatch was the actual problem.

ftp and mail seem to point to the origin (attention, leak of data) whereas caemail points to Cloudflare at this point. These hosts should get their own certificates, respectively rather remove them entirely from the domain (again, right now it leaks the origin’s IP address).


#8

This topic was automatically closed after 14 days. New replies are no longer allowed.