[ssl:warn] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Hello

Regrettably I still notice that I can only intermittently access to a website recently established: I mean that both browsers Chrome and Firefox notify that the certicate some times is self signed and others not!

At this stage, I recently noted that the domain involved resolves to four (4) IPs, 2 IPv4 and 2 IPv6:

nslookup giardinodivenere.it
Address: 172.67.204.67
Address: 104.21.74.163
Address: 2606:4700:3035::6815:4aa3
Address: 2606:4700:3034::ac43:cc43

That website - running through the control panel Virtualmin - has its first DNS zone on a provider which points to Cloudflare.

May you please suggest the correct troubleshooting to accomplish in order to fix that issue?

Thank you in advance.

Your site is configured correctly in Cloudflare and should be working, the DNS entries are proxied so you should only see the Cloudflare SSL certificate.

https://cf.sjr.org.uk/tools/check?6eea0291cead4cf5810cc28cb521d667

What DNS servers have you set on your machine? If you are getting a self-signed certificate you are likely connecting directly to your origin server and being pointed there by something on your machine/network. Did you put any settings in your /etc/hosts file to point to your domain during development?

Do you mean the DNS records set on Virtualmin?

I did not touch that file.

Hello @sjr

According to a comparison made between two websites that run under Virtualmin and whose DNS zone is located for both on Cloudflare, I noticed via Chrome that the certificate information (when some times the browser accepts it without considering it self-signed) changes depending on the website examined:

First website:

Second website (the one under consideration):

Shouldn’t Cloudflare always be the authority that issues the certificate?

Thank you in advance.

No, Cloudflare is not a CA. It uses external CAs (even the, now no longer available, one that claims to be Cloudflare is from Digicert).

Noted.

In any case, the 1st says: Issued by Common Name (CN) Cloudflare Inc ECC CA-3: how can I have the same output for the 2nd?

Do I have to investigate on my Cloudflare dashboard?

Thank you in advance.

You can’t. Digicert certificates are no longer being issued by Cloudflare as in the links above. On a free account you will get LetsEncrypt certificates once Digicert ones expire.

Has your original problem with self-signed certificates gone away for you? There’s no issues from my connection to your site.

Noted.

Nope. On Virtualmin control panel both websites have the same SSL certicate settings and I still have the same issue: some times the browsers resolve the host/ip and others not.

That will be something for you to work out locally. From the rest of the world, at the current time, your site is resolving to Cloudflare on the public DNS. (That is testing the home page which is the only page and mostly blank).

https://cf.sjr.org.uk/tools/check?c9086c61ab6541fba9918ea1fda311bf

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.