SSL working for existent subdomains however not working for NEW subdomain


#1

SSL is enabled and working for my site thunderstation.com and for all subdomains that exists in the day I created SSL on cloudflare for this domain.
However I added a NEW subdomain and the SSL it is not workding only for this new subdomain.
Does it make sense for anyone, any clue to help? Should I RE-issue the certificate in somehow to “add” the new subdomain? Is it possible and how?

Thank you for any help.


#2

What is the subdomain you want to create? What error do you get about the SSL?


#3

Is your new subdomain in the DNS tab with an orange cloud next to it, or a grey one? If it’s grey, it’s not passing through Cloudflare (and not getting their SSL/TLS service), and clicking on the grey cloud will make it orange and do pass through Cloudflare.

That also means, that unless you have set up SSL/TLS on your server with a Cloudflare “origin certificate”, the connections between Cloudflare and your server are insecure and can be MITM-attacked. You SHOULD install either a trusted cert (such as the free Let’s Encrypt) on your origin server, or at least Cloudflare’s “origin certificate” (but then with Cloudflare bypassed, nobody will be able to browse your site), and set your SSL mode to “Strict (full)” under the Crypto tab.


#4

Shimi,
thank you for your kind information. I will check all points, however it looks a little bit strange to me that ClodFlare SSL is working on my main domain thunderstation.com (you can see in your browser) and it IS WORKING on may subdomain ps.thunderstation.com and it is not working for the new subdomain pac.thunderstation.com… does it make any sense for you? The only relevant information is that the new subdomain (pac) was created 2 days ago and the other subdomain was created at same day I added my main domain to CloudFlare. Maybe Cloudflare generated a certificate for the first domain and subdomain only? Is it possible?


#5

Well, if you have an improper SSL setup for pac.thunderstation.com on your origin server, and a proper setup on ps.thunderstation.com - and your SSL mode in Crypto is NOT set to “Flexible” (i.e. “work even if encryption is broken”), then yes, it could be.

As for Cloudflare certificate, no. There’s exactly one certificate - your domain and *.yourdomain. As you can see https://pac.thunderstation.com/ does work - you get a Cloudflare page securely. What doesn’t work is the path between Cloudflare and your server…


#6

Shimi, thank you again for your prompt help. :smiley:

Actually my server is on an external provider (Arvixe) and I dont have any type of administration on that remotely (only via pine/cp panel). They say they are “CloudFlare ready” and first time when I added my domain to CloudFlare some 3 months ago everything came to work without any specific action on my side (so I believer they really are “CloudFlare ready”… :slight_smile: ). My crypto setting is “Full” (default). Maybe I have to add the DNS A record for “pac.thunderstation” in both (Arvixe AND CloudFlare) ???


#7

What you are probably missing is a proper SSL certificate set up for pac.thunderstation.com on their site. Maybe you had proper SSL for the other hostnames before Cloudflare, so everything just worked. DNS records in other places mean nothing, because nobody will query their DNS servers.

It’s really about the HTTPS service on your new host. Maybe there’s a checkbox you need to check…

To prove this, you can click the orange cloud to make it grey, so traffic will go directly to Arvixe. Then you’ll see that you can’t browse to https://pac.thunderstation.com even when Cloudflare is outside the loop…


#8

Shimi,

Ok, I understand the point. I will check this particular item with Arvixe support so. And I just did the “gray step” right now and I will wait some time to “DNS propagation” to test it again. I will let you know the results here later.

Thank your for the enlightment! :smiley:


#9

Already propagated for me:

$ curl -v https://pac.thunderstation.com
*   Trying XXX.XXX.XXX.XXX...
* TCP_NODELAY set
* Connected to pac.thunderstation.com (XXX.XXX.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pac.thunderstation.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to pac.thunderstation.com:443

Proof from 3rd party: https://www.ssllabs.com/ssltest/analyze.html?d=pac.thunderstation.com&hideResults=on


#10

I see. And I did not know this www.ssllabs.com/ssltest tool, thank you so much for sharing it ! Now it all related to Arvixe side. I am already in touch with them. THANK YOU again! :smiley:


#11

Shimi,
just to let you know, I verified with Arvixe and for some reason my host plan provides “per SSL basis” support, and not a “*.domain” SSL support. I had to contract an adittional SSL for specific pac.thunderstation.com and it will work for sure.
I would never think on it withou your help, THANK YOU again.

Problem solved. :smiley:


#12

Glad I could be of help :slight_smile: