TLS name mismatch error

I’m setting up Health Check for the first time. No load balancing.

I get this email message: 2019-12-19 21:41:59 +0000 UTC | Down | TLS name mismatch error | WCNY_Home_Page

Where WCNY_Home_Page is the descriptive name I gave to this check.

I see someone posted the same request almost two months ago, but got no reply.

Many thanks,
David.

What’s the question here? There is a name mismatch in the TLS certificate, fix that and the health check will go up.

I’m sorry Matteo, where is the TLS certificate?

Everything else is working fine, only the health check is giving an error.

Thank you,
David.

What is the URL you are checking? The TLS certificate should installed either at your host or in Cloudflare (but it shouldn’t be an issue in this case).

I wonder if there’s something wrong with the hostname that’s set in the Health Check. Can you post a screenshot of the Health Check? It’s ok to black out the IP address.

I think I understand.

Before we switched to Cloudflare, the site used auth.westerncentralny.aaa.com and the SSL certificate in the server is a wildcard for *.westerncentralny.aaa.com.

When we switched to Cloudflare, we couldn’t use a subdomain of aaa.com, so we created a new domain at westerncentralnyaaa.com (no dot before the aaa.com). However some of the site is still using westerncentralny.aaa.com so we couldn’t change the server certificate.

So is that the problem? What I call the SSL certificate (which I guess is technically TLS) is different from the URL.

Many thanks,
David.

I presume you are going directly to the origin with the check, with the new “on Cloudflare” hostname, but still using the old cert? Yep, that would be the problem. They both should be on the same cert or use two certs.

You can use a third-level subdomain on Cloudflare with a 10$/month paid cert on Cloudflare itself, if the issue is the NS that need to be the root ones then no solution a part from going the CNAME route (Business 200$/month plan, not really doable with a wildcard unfortunately).

Here’s the screenshot.

Ah! There’s a little checkbox for “Allow Insecure” that says to not validate the certificate. That might fix it.

** The text below was my original reply and can be disregarded, but addresses some of my thoughts:

Try adding a “Header name” of: Host
and a Header Value of: auth.westerncentralny.aaa.com

I’m not entirely sure that will work, as I think about it. That’s more for the server’s benefit.

What SSL setting are you using? Is it just Full, or is it Full (Strict)?

I’ve “allowed insecure”, and the header name and value. Let’s see what that does.

Full or Full (Strict)? where do I look?

As you can tell, this isn’t my field but my developers have left for the evening.

Many thanks,
David.

That’s part of “Overview” for SSL/TLS.

Thanks.

Full. (Not strict)

Ok. That explains why your Health Check has that mismatch, and agrees with the setup you describe. Your server’s certificate doesn’t have the same name as your domain. Full (not strict) will use that certificate, but not care if it’s valid. Full (Strict) needs a valid certificate to work.