Strange Invalid SSL certificate behavior


#1

Hello there, have a quick question about the SSL certificate generated by cloudflare. If the SSL is set to Full, the website works and the SSL certificate is valid. However, if Full (Strict) is set the SSL certificate is valid for subdomains but not the root domain - meaning blog.example.com is valid but example.com returns a Invalid SSL Certificate 526 Error.

The setup was working fine a week ago and I deleted the website and added the website again and facing this issue. Why would the SSL be valid (in Full Strict) for subdomains but not the root domain?

Currently, using gitlab as the hosting platform. The DNS configuration is straightforward.

  1. A record - points to gitlab’s pages IP address (35.185.44.232)
  2. CNAME (www) - namespace gitlab url
  3. CNAME (blog) - namespace gitlab url
  4. TXT (www) - _gitlab-pages-verification-code…
  5. TXT (blog) - _gitlab-pages-verification-code…

#2

The difference between strict and non-strict is the former requires a valid certificate on origin whereas the latter does not. My assumption would be the certificate for your root domain is not valid for some reason.


#3

Thanks for the explanation. I understand the difference from the cloudflare docs. So how do you fix/debug this issue? Why would the SSL certificate work for sub domains (blog.example.com) but not example.com in strict mode - aren’t they shared SSL certificate?

Also, this SSL certificate is generated by cloudflare. It was working fine a week ago and I re added the site back to cloudflare. Maybe there is a duplicate certificate for the site? How do you dig deeper in this issue when the SSL is generated automatically by cloudflare?


#4

It all comes down to what certificate you installed on each domain.


#5

The Universal SSL is enabled so aren’t the root domain (example.com) and sub domains (blog.example.com) using the same certificate?

Under Edge certificates section:
Hosts: example.xyz, *.example.xyz (2 hosts)
Type: Universal (Shared)
Certificates: 1

So the question, why would the cert work in the sub domain and not the root domain if its sharing the same certificate? Please let me know if you need more specific information or something is missing.


#6

The problem is not the certificates running on Cloudflare but those running on your server. The one on your naked domain is apparently not valid for that domain.


#7

Got it, thanks. How to resolve this issue? Here is the setup:

  1. Using Namecheap as the Domain Name Registrar and pointing to cloudflare nameservers
  2. Using Gitlab pages as the place to host the code/html

Does something need to be added to Gitlab pages to make the SSL cert valid?


#8

Can you post the URLs in question?

Did you configure your domain with them? If not the server wont recognise your domain and hence present a certificate which does not match your domain, hence it fails in strict mode. Best bet is to keep non-strict.


#9

Figured it out. Needed to create a new origin certificate in cloudflare under Crypto and add it to gitlab repository in (settings > pages). This guide has a good overview (https://about.gitlab.com/2017/02/07/setting-up-gitlab-pages-with-cloudflare-certificates/)


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.