SSL Errors - Untrusted Certificate

Hi,

I’m getting an intermittent error when trying to make a secure connection to my servers on port 443.

  • I’m accessing the server(s) through a Cloudflare load-balancer (pool of two servers).
  • I have a Sectigo wildcard certificate installed on the servers
  • Traffic is not proxied through Cloudflare (DNS only, grey cloud icon both in the site’s DNS settings and in the Load Balancer settings).
  • In case it makes a difference, Cloudflare SSL is configured to be Full (Strict).

I’m pretty new to all this, and don’t understand how the connection can work sometimes and not others, and also whether or not the SSL settings in Cloudflare (Full, Strict) have any impact on the connection made.

The error i’m getting, when it occurs, indicates that the connection cannot be made due to an untrusted certificate.

I’m not certain whether this is genuinely an SSL/trust issue, or whether there is actually a problem with the configuration of the webserver. The fact that the connection works sometimes and other times not makes me think the “untrusted certificate” error is a red herring… but how can i be sure?

Please could someone assist me to troubleshoot? What should I be looking at / testing first?

Many thanks!

It’s hard to verify this without knowing the domain at all.

If Cloudflare is DNS only the certificate should be the Sectigo one, when the error is given check which certificate it serves.

Thanks - I have in the meantime done a simple “Certificate Check” on Digicert’s website and everything shows up green and trusted. The hostname resolves correctly, switching between the two origin servers, and none of the vulnerabilities
they check are present… it all looks good.

Would it cause an issue if one server was trying to connect to another using an IP address instead of a hostname? I noticed if I did a certificate check using the public IP instead of the hostname
I did get errors and the cert was untrusted (due to names not matching).

The domain is omnivisionsecure.co.za

Thanks for the help.

Regards,

Gareth Cowan

OmniVision Security

072 895 1779

Connecting via IP is normally not supported (there some specific certificates that do have IPs in them, but they require a FQDN and are rare and expensive: see https://1.1.1.1) in certificates, always use hostnames.

On that domain I get a 500, internal server error and I do not get redirected automatically to HTTPS. The certificate works just fine for me.

Hello ive tried both configurations with a sectigo essentials dv cert, used dns option (greyed out) and proxied through cloudflare both worked fine no cert issues running on nginx and apache2 server, i had to edit my apache2 as nginx and apache both listen on port 80, also after downloadng the zip file for my certificates i used this command via terminal to create the bundle.crt

cat domain_name.crt SectigoRSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt >> domain_name.bundle.crt
this “joins” the certs in the correct order making the cert valid and trusted on all browsers this only applies to your own CA cert and you will need to create the correct paths in your nginx.conf file to where you upload your certs to. If you require this to work for apache2 there is additional configuration required in the virtual hosts file. you can also check your ssl here https://www.ssllabs.com/ssltest/ this will test and report any faults, this will use your apache2 server on your domain on 443 ive just checked your ssl and its all good no faults. You could be right as matteo said ip addresses arent allowed so that would report back as untrusted
Hope this helps.