SSL Full Strict swiching issue


#1

Hello,
I have moved my 3 sites in Flexible SSL into Full Strict by several days, but only 1 domain has been moved in Full Strict, other 2 sites still use Flexible SSL, I can verify it through the certificate checking, Flexible SSL is issued by COMODO ECC, instead Full Strict is issued by GlobalSign CloudSSL CA.

All generated certificates have been uploaded on cpanel and they are working, I’m sure of this because all connections at the origin for that sites are all over SSL, these 2 sites are having many issues with 522 errors and maybe it depends on the SSL setting which is misconfigured on Cloudflare database.

Someone else who had the same issue? There’s a limit of sites where is possible enable Full Strict? In faqs I read that it would be a trademark problem if some domain names aren’t automatically swiched to custom SSL.

So it’s possibile force in some way the use of SSL Full Strict for these domains?

Thanks for any support about that.

Update:
I found the problem, the sites are using the Universal (Shared) certificate as SHA 2 ECDSA
instead SSL Full Strict needs the SHA 2 RSA certificate.
Now, how can I replace ECDSA with RSA?


#2

Most of my sites use Comodo. My one flexible, and all but but one Full (Strict). However…my one site that uses a .plus TLD uses GlobalSign with less robust encryption. So far, I’ve not had any luck with having that one domain switched over. It was one that got stuck during SSL activation, and Support reinitiated the cert process and I ended up with GlobalSign.

So…for those three sites, are they all the same TLD?


#3

The certificate displayed by Cloudflare doesn’t change based on the SSL setting configured for the connection to the origin server.

If the generated certificated uploaded into your CPANEL that you reference are Cloudflare origin certificates, those are issued by Cloudflare and aren’t meant to be seen by end users. And their usage won’t effect the certificate Cloudflare does display to an end user in any way.

Are you sure the certificates are correctly installed on the origin server? If you run

curl -ik --resolve foo.com:443:1.2.3.4 https://foo.com

replacing foo.com with your domain and 1.2.3.4 with the origin IP address does it complete successfully?


#4

I don’t think it’s a TLD issue, because all sites are on the same server by using the same Cloudflare DNS, if I delete the origin certificates on cpanel I get a SSL 526 error by Cloudflare, but once the certificates are installed again, the error disappears, with flexible SSL doesn’t happen, so the sites are configured as flexible SSL but Cloudflare is checking for the origin certificates, but with the certificate issued with COMODO by using the SNI even if I select SSL Full Strict.

Sure, doing curl from terminal I receive the html code with all the sites, I tried to do another test with an old browser which doesn’t support SNI extensions, the site that uses the RSA certificate it works perfectly, the other 2 sites with ECDSA receive an unknown error on the connection.

I don’t understand why Cloudflare has generated a site certificate with RSA and 2 other sites with ECDSA even if I select Full Strict with everyone.

Cloudfare faq says:
If you are using cPanel, or another application that attempts to validate the chain of your Origin CA certificate, you will need to append the appropriate root below to your .pem file.
Note that cPanel in particular does not support ECC certificates, so make sure you generate an RSA certificate.

Someone from the internal staff can help me to replace the edge certificates from ECDSAwith256SHA with the SHA256withRSA ?

Thanks a lot.


#5

All 3 sites loaded just fine for me and all appear to be using full strict.


#6

I see, I’m not an engineer but I think that sites are working in a promiscuous way, if the origin is RSA and the edge is ECDSA, I’m pretty sure that for this reason I’m getting several 522 errors, maybe I could try to disable universal SSL and then re-enable them individually to generate new edge certificates.


#7

The certificate served to visitors and the certificate on an origin server have no relation. Here’s a 522 error troubleshooting guide, I don’t believe there’s any mention of SSL in the article, so the certificate seems like an unlikely source for the error.