Suddenly getting 403 if CDN is enabled

ssl

#1

Hi everyone,

I put my site behind Cloudflare last week and it has been working well. But today I woke up to an error message that my site is not accessible.

I am getting generic nginx 403 page when I am trying to access my site (same as Why 403 Forbidden all of a sudden when I go to my site?), along with ‘not secure’ warning in Chrome address bar.

When I disable CDN as shown in the picture, the error disappears.

I am using an SSL cert issued by Letsencrypt in my server and a Full SSL in Cloudflare. I can confirm that Letsencrypt cert has not been expired.

Any ideas how to debug this issue? I am confused as to why it was working and suddenly stopped working when nothing changed.

Additional information

When I enable the CDN, I get the following error(ERR_CERT_COMMON_NAME_INVALID) in Chrome’s security tab:

The error I get when I curl the https version of the site is:

curl: (51) SSL: no alternative certificate subject name matches target host name 'my-domain.com'

I have force-renewed letsencrypt certificate, but the issue still persists if I turn on CDN.


#2

Can you check your origin server firewall and make sure that Cloudflare’s IP range is not blocked.


#3

I whitelisted all of Cloudflare IP addresses in nginx config, and restarted nginx. However the issue persists.

Before even getting 403, I am getting an error with a certificate:

When I continue to the website I get 403:

Here is curl output:

curl -v https://my-site.com
* Rebuilt URL to: https://my-site.com/
* Hostname was NOT found in DNS cache
*   Trying 104.18.54.88...
* Connected to my-site.com (***.***.***.***) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ****-****-AES128-GCM-SHA256
* Server certificate:
* 	 subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni219729.cloudflaressl.com
* 	 start date: 2017-05-07 00:00:00 GMT
* 	 expire date: 2017-11-13 23:59:59 GMT
* 	 subjectAltName does not match my-site.com
* SSL: no alternative certificate subject name matches target host name 'my-site.com'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'my-site.com'

Any ideas why this is suddenly happening?


#4

Can you try turning SSL Off then Full mode again.

I just checked the CT logs and it seems that a certificate was generated for your domain on August 12, but somehow Cloudflare still used a certificate generated in May 7 that does not contain your domain.

If that does not solve the SSL error, you might want to contact Cloudflare Support.