Ssl unknown issuer error

ENV:
Client – Windows 10, latest Firefox, Chrome, and Edge browsers
Server – Unraid, NginxProxyManager (NPM)

  1. I have created and installed Origin Certificate on NPM that has the default hosts: *.mydomain.com and mydomain.com
  2. I have added a CNAME for proxy.mydomain.com

However, when I visit. for example, proxy.mydomain.com, I get browser the following warning on all browsers:
Edge/Chrome: NET:ERR_CERT_AUTHORITY_INVALID
Firefox: SEC_ERROR_UNKNOWN_ISSUER

When I view the certificate details, I see the following:
Subject Name:
— Org: Cloudflare, Inc,
— OU:Cloudflare Origin CA
— CN: Cloudflare Origin Certificate
Subject ALT Names: *.mydomain.com, mydomain.com

Why am I getting browser warning about “unknown/invalid issuer” when I access my proxy.mydomain.com site?

Thanks
-rsa

Your DNS record won’t be proxied and you’ll connect directly to your server. Change it from :grey: to :orange:.

It’s already set to proxied:

Did you pause the domain? What’s the domain?

Not sure what you mean by “pause”?

Anyway I can send you the domain via PM?

You can briefly post the domain here and then remove your posting.

All right, you can delete your posting.

Thanks.

The proxy record exists, resolves to Cloudflare, and then redirects to Cloudflare Access. The npm record however does not exist. If you get an SSL warnings, that will be most likely because of DNS propagation. I’d wait a couple of hours.

CNAME proxy was created several weeks ago. CNAME npm was deleted in trying to troubleshoot the problem. Doubt that the problem is DNS propogation. But, I’m not the expert here…

Well, proxy resolves fine and there aren’t any certificate issues. npm on the other hand does not exist.

I’m using Nginx Proxy Manager (NPM) and all LE certs work fine, just not any Cloudflare certs.

Also, the SSL error of “Unknown Issuer” is strange when the Cert Subject and Alt-Subject is correct.

Yeah, that is because you are connecting directly to your host, but that will be a DNS issue. Maybe check your hosts file too.

The record itself is there and loads fine without warnings.

image

Are you using split horizon DNS? From here, I see the correct cert initially, then get sent to CF Access. If you are seeing the Origin certificate, that points to an issue with DNS resolution.

Not a DNS resolution issue here. DNS resolves fine to CF’s proxies.

If you resolve the proxies you will get the proxy certificate and not the origin one. Post a screenshot of the error.

I do have a split dns setup but have changed the local resolver such that the proxy.mydomain.com does not resolve to the local lan ip. Regardless, I still get the error.


By any chance have you configured the client to use the proxy machine as a HTTP proxy? In that situation, the DNS resolution will be done by the proxy, and it will resolve to itself.