SSL: The issuer of this certificate could not be found - IIS

Trying to secure an in-house Windows IIS server with the CF SSL. Ours seemed to work last night but has not stopped again. Not sure what’s causing it to have issues.

Generated cert from the server. Pasted that info into CF. Created the files from the generated info at CF. Added them in IIS. Updated Bindings. Set CF DNS to proxy (tried both Full and Full Strict).

Worked, no errors, inside or outside of the network last night.

Then this morning, it’s like something reverted back. Works from the server…

…but not any other machines on the network. Now we’re getting this error: The issuer of this certificate could not be found.

Cloudflare Diagnostic Center

Any ideas?

It looks like it lost the Origin CA Root Certificate.

2 Likes

  • You can’t green green lock with this kind of SSL without proxying first with CF.

Origin Certificate is optimized version of OpenSSL, this is for server to server communication not for local use. You need to patch those issue by enabling Cloudflare Proxy and keep Full Strict SSL mode.

For this spot…

Do I just download those PEM files and change them to CRT files and upload them as Complete Certificate Request in IIS? That didn’t work.

I reinstalled the originally created CRT file and restarted the server. It just seemed to replace the one that was already showing. Not seeing a difference.

These are all of the ones showing…

This is still the result from off the server… (on the server it still shows as: This certificate is OK.)

and…

I’m not positive I’m following you, but I have the domain set to proxy. I’ve tried both Full and Full (strict)

These are all of the Diagnostic Center results…

Test Results:

DNS

DNS

HTTP

HTTP

SSL/TLS

SSL/TLS

Speed

Speed

Check nameservers

Are the Cloudflare nameservers configured correctly in the site?

Looking Good!

Looking Good!

Check DNSSEC configuration

Does the site have valid DNSSEC records?

Error Found

Error Found

Resolve Issue

Error

Description

no_dnssec_found

The site does not have any DNSSEC records.

Check DS record configuration

Does the hostname have a DS record? Does this record use the Cloudflare algorithm?

Error Found

Error Found

Resolve Issue

Error

Description

not_found_ds_record

The hostname has no DS records.

Check if connecting to ‘domain.com’ works

Is there an A or AAAA DNS record to make connecting to ‘domain.com’ possible?

Looking Good!

Looking Good!

Check if connecting to ‘www.domain.com’ works

Is there an A or AAAA DNS record to make connecting to ‘www.domain.com’ possible?

Looking Good!

Looking Good!

Check for existing MX records

Does the domain have an MX record?

Looking Good!

Looking Good!

Check for redirect loops

Does the request result in a redirect loop?

Looking Good!

Looking Good!

Check the HTTPS status

Does the site respond with a succesful HTTPS status?

Looking Good!

Looking Good!

Check if redirecting unencrypted HTTP traffic works

Does the website redirect unencrypted traffic from HTTP to HTTPS?

Looking Good!

Looking Good!

Check the status of encrypted traffic

How well does the website support encryption via an SSL/TLS certificate?

Looking Good!

Looking Good!

Check the site for mixed content

Does the website mix encrypted and non-encrypted content?

Looking Good!

Looking Good!

Check site speed (TTFB)

How fast is the page response time?

Looking Good!

DNSSEC and DS go together. They’re both ends of the DNSSEC connection.

As for the IIS configuration for certs, I don’t know. I don’t use IIS. Maybe stackoverflow.com has info or assistance.

Thanks. Is it related to this issue at all though?

Nope. Those are to lock in your current name servers.

OK. I didn’t think so. This SSL issue is stumping me though. I feel like it’s really close, just missing a click or two somewhere.

1 Like

Checked here and it says: It’s all good. We have not detected any issues.

https://decoder.link/sslchecker/

Still…

That implies that the browser is connecting directly to the origin instead of proxied by Cloudflare.

Both the primary A record and ‘www’ CNAME were both set to proxy. Tried every variety of it (Flexible, Full, Full (strict)).

Not sure what it was. Tried this for several hours, several days. I couldn’t get it figured out. Bought a 3rd party cert and had it setup in 15 minutes.

I was really hoping this would work. Oh well.

Hi @wua did this get to work? i may be able to assist you if you don’t mind

@Toomakesense do you have idea on this? please share how to fix. Thanks