SSL Headers

#2334385 {redacted}

Very basic knowledge here, so go easy.

Moving my website over to Shopify, the domain has moved but they can’t verify the SSL as it is currently held by Cloudflare, ‘and they need to release the headers’. None of this makes sense to me, didn’t even know that Cloudflare existed or had my SSL Certificate. So I’ve created an account with Cloudflare so I can contact support, and I’ve registered my domain with you, lifetec.com.au, but not moved it over from the existing host. So my question is, can someone please ‘release the headers’ so Shopify can create the SSL. Thanks in advance.

Hi there,

Unfortunately the community is unable to assist you with issues such as this where an old provider used Cloudflare for SaaS. Please contact your old provider and ask them to remove any Cloudflare configurations for your domain, specifically SSL for SaaS / Custom Hostnames. If you contact Shopify and they mention Cloudflare headers, ask them if they are referring to a Custom Hostname that was part of an old SSL for SaaS implementation on the domain.

If you previously used HubSpot, please ignore this and move to the paragraph below.

If you are unsure who the previous provider is or they say Siteground says are unable to help you, please email [email protected] with the subject Cannot remove custom host name and details of the issue. Once you’ve done that you’ll receive an automatic response with a ticket number. Please post that here so we can escalate it. Once you have reached out to Support they will ask you to verify domain ownership of the domain by adding a txt record to the domain in order to verify domain ownership.

Another customer had a similar recent issue with that way offthemark reply from Shopify, Cloudflare headers preventing SSL certificate from connecting after domain transfer - #6 by sdayman.

3 Likes

Thanks for getting back to me, but my old provider just sends me back to you! So between Cloudflare, Webcentral and Shopify no one seems to be able to fix this, and each blames the other. So frustrating.

Did you send that email he advised? He can’t do anything without that ticket #.

Hi. I didn’t send the email because it says that paragraph only applies to Hotspot, so I don’t think it applies to me?

So here’s what I get from Shopify:
2:32 Genesis (Support Advisor): I totally understand where you are coming from and we do apologize for the inconvenience this has caused you, David. I can definitely confirm that your domain is hosted with third party provider(webcentral) and the DNS configurations are correct, and a SSL certificate can’t be provisioned by Shopify as there are Cloudflare headers preventing this. Only Cloudflare can remove these headers which they can do if you contact their Support team. To reach out to them you will need to make an account here so that you can create a Support Ticket but once they’ve removed that, your domain will be able to provision a SSL certificate.

That’s not true. I don’t know why they’re making stuff up, but they’ll never be able to tell you what those headers are, because they don’t exist.

Or find out specifically what they are so Cloudflare can fix that immediately.

But you can see my dilemma here? I’m not a technical person so I’m at the mercy of the information I’m given. Both parties insist they can’t fix my problem. I’ll go back to them.

I certainly do. Shopify is telling you to “do that thing” because they can’t make your Shopify website work, but without being specific about what needs to be done. Like someone else is supposed to figure it out because Shopify is keeping it a secret. I count at least eight headers that Cloudflare adds, so it’s important to get it right when it comes to removing headers.

Hi.

Thanks for all your help. Been on with Shopify again, and below is all of the information I can find. They say that it is OK for you to remove all headers and anything to do with the SSL, and they can then reprovision from their end. Hope this helps!

www.lifetec.com.au is using Cloudflare CDN/Proxy!

### www.lifetec.com.au resolves to 23.227.38.74
### Server Type: cloudflare
### The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
###

The certificate will expire in 163 days. Remind me|
||### The hostname (www.lifetec.com.au) is correctly listed in the certificate.|

\ 128x128 Common name: www.lifetec.com.au
SANs: www.lifetec.com.au
Organization: Cloudflare, Inc.
Location: San Francisco, California, US
Valid from June 9, 2021 to June 9, 2022
Serial Number: 021c52dffeb7eb00591123cc32630d01
Signature Algorithm: ecdsa-with-SHA256
Issuer: Cloudflare Inc ECC CA-3
\ 48x48
\ 128x128 Common name: Cloudflare Inc ECC CA-3
Organization: Cloudflare, Inc.
Location: US
Valid from January 27, 2020 to December 31, 2024
Serial Number: 0a3787645e5fb48c224efd1bed140c3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: Baltimore CyberTrust Root

I’m sorry, but that’s too vague. I’ve checked my headers and none of them involve SSL:

HTTP_CF_CONNECTING_IP
HTTP_CF_EW_VIA
HTTP_CF_RAY
HTTP_CF_VISITOR
HTTP_CF_WARP_TAG_ID
HTTP_CF_WORKER
HTTP_CF_COUNTRY
HTTP_CF_REQUEST_ID

Please ask them to specify which headers they’re talking about so Cloudflare can remove them.

Thanks, I believe they said it’s safe to remove them all.

David

No, it’s definitely not safe to “remove them all.” CF-Connecting-IP is the only way to identify the IP address of the visitor hitting the site. Plus, it has nothing to do with SSL. CF-Ray and CF-Request-ID are the only way to track connections going through Cloudflare.

I’ve already asked three times for specific information to fulfill their request that they only hinted at. And now it’s round four in the Shopify “I’m thinking of headers you need to remove, but I won’t tell you which ones” guessing game. I’ve been very specific about which information we need from them. Why can’t they be specific when they make a request? Have them ask someone who knows.

2 Likes

Hi.

The saga continues! Have spent two days with Shopify support, and they insist the only way forward is to remove ALL headers. So would you be able to do that please?

Thanks,

David

In case you’re interested, here is the transcript of our recent chat:

Denise Joy Atienza Evangelista (Shopify)

Dec 30, 2021, 0:16 EST

Full chat transcript below. All timestamps in UTC timezone.

4:35 David Sellar: Hi. Follow on discussion about SSL problems.

4:35 System: An agent has joined the chat

4:35 David Sellar: Hi Denise

4:35 Denise (Support Advisor): Thank you for contacting Shopify. I’m Denise your Shopify Advisor today.

4:36 David Sellar: Had a long discussion yesterday, and was told it had been escalated to technical support, but I haven’t heard back from anyone yet.

4:36 Denise (Support Advisor): I understand you are having a problem with your SSL. Don’t worry, I’ll do my best to help you.

4:37 David Sellar: lifetec.com.au, hopefully you can find yesterday’s thread

4:37 Denise (Support Advisor): Sure, let me check your previous ticket here. Please give me 2-5 minutes here. Thank you.

4:37 David Sellar: Thanks, I have a copy if you need it.

4:39 Denise (Support Advisor): I have it now. I’ll go ahead and review this ticket for you.

4:39 David Sellar: Thanks

4:44 Denise (Support Advisor): Hi David, I’m still here. I’m checking this with our support team to see why your SSL still pending. I’ll be needing more time. Please bear with me.

4:45 David Sellar: I know why it is, but I’m just waiting for support to give me a specific header name so I can contact Cloudflare and ask them to remove it.

4:47 Denise (Support Advisor): Yes I’m also asking for specific header. Please give me another 2-5 minutes here.

4:47 David Sellar: Thanks

4:51 Denise (Support Advisor): Thanks for waiting David. I understand how important this is for you. I spoke with our Technical Team and they told me to remove all headers from Cloudfare.

4:52 Denise (Support Advisor): Removing all headers from Cloudfare will fix the issue.

4:52 David Sellar: Yes, I’ve had that one before. I’ll just get you the response from Cloudflare on that…

4:52 Denise (Support Advisor): Sure please, thanks.

4:52 David Sellar: No, it’s definitely not safe to “remove them all.” CF-Connecting-IP is the only way to identify the IP address of the visitor hitting the site. Plus, it has nothing to do with SSL. CF-Ray and CF-Request-ID are the only way to track connections going through Cloudflare.
I’ve already asked three times for specific information to fulfill their request that they only hinted at. And now it’s round four in the Shopify “I’m thinking of headers you need to remove, but I won’t tell you which ones” guessing game. I’ve been very specific about which information we need from them. Why can’t they be specific when they make a request? Have them ask someone who knows.

4:53 Denise (Support Advisor): Thanks for that. I’ll let our team know about that, so please stay on the line with me as I forward this to them.

4:53 David Sellar: Thanks.

4:56 Denise (Support Advisor): I’m still here David. We’re checking on that response now.

4:56 David Sellar: Thanks

4:57 David Sellar: Here’s a bit more info…

I’m sorry, but that’s too vague. I’ve checked my headers and none of them involve SSL:
HTTP_CF_CONNECTING_IP
HTTP_CF_EW_VIA
HTTP_CF_RAY
HTTP_CF_VISITOR
HTTP_CF_WARP_TAG_ID
HTTP_CF_WORKER
HTTP_CF_COUNTRY
HTTP_CF_REQUEST_ID
Please ask them to specify which headers they’re talking about so Cloudflare can remove them.

4:58 Denise (Support Advisor): Yes I totally understand that this is kinda confusing on your end. But rest assured, we are doing our best to get this fix.

4:59 Denise (Support Advisor): I spoke with our Technical Team about the response you got from Cloudfare and they advised me removing all the headers is the only way to resolve the issue for us to provisioned the certificate for your domain.

5:00 David Sellar: But they tell me the headers aren

5:00 David Sellar: aren’t even connected to the SSL

5:01 David Sellar: Can you email me at [email protected] with the recommendation to do this?

5:01 Denise (Support Advisor): Yes but that’s the one that’s causing the issue.

5:02 Denise (Support Advisor): And removing the headers is the only way to fix.

5:02 David Sellar: Which one is causing the issue?

5:02 Denise (Support Advisor): I understand that the Cloudfare mentioned that it’s not right but for the SSL to work the headers needs to be remove.

5:02 David Sellar: All of them?

5:02 Denise (Support Advisor): So we can provisioned the certificate for your domain.

5:03 Denise (Support Advisor): Yes that’s right.

5:03 David Sellar: OK, can you email this to me please so I can forward it to them?

5:03 Denise (Support Advisor): Sure, no problem David.

5:05 David Sellar: Thanks.

5:05 Denise (Support Advisor): I’ll send you a copy of this chat.

5:06 Denise (Support Advisor): Thank you so much for your patience and understanding. Furthermore, please know that our help does not end here. If you need any more help, you can contact us via chat, or email 24/7. Take care always and bye for now.

5:09 System: Chat ended by agent

Hi @user15575,

Unfortunately, Shopify don’t seem to be giving you the correct information at all which makes it hard for both you and us. The issue with provisioning your certificate is not caused by headers.

As you said that you can’t get any help from the old provider, Ask Shopify to follow the process to create an HTTP ownership_verification record.

Shopify should be able to resolve it with the process linked above, but if they still push back, let us know and we’ll have to escalate your Cloudflare ticket so Cloudflare Support can ask you to verify domain ownership of the domain by adding a txt record to the domain.

1 Like

Simply put, no. That’s completely wrong. I’ve escalated this within Cloudflare to put a stop to that nonsense. Don’t worry, I included a link to this thread so they can track down the real issue.

3 Likes

Hi

To cut Shopify out of this loop, can I just verify my domain by adding a txt record? I have access and can do this quickly.

Best Regards;

David {redacted}

@sdayman has escalated your ticket so this is likely what they will ask you to do, however it is unlikely to be very quick and may be a few days before you receive a response.

Going via Shopify may be quicker if that can resolve it, but you can wait for Cloudflare Support if you want.