TLS name mismatch error

david45 · December 19, 2019, 10:47pm

I’m setting up Health Check for the first time. No load balancing.

I get this email message: 2019-12-19 21:41:59 +0000 UTC | Down | TLS name mismatch error | WCNY_Home_Page

Where WCNY_Home_Page is the descriptive name I gave to this check.

I see someone posted the same request almost two months ago, but got no reply.

Many thanks,
David.

matteo · December 19, 2019, 11:35pm

What’s the question here? There is a name mismatch in the TLS certificate, fix that and the health check will go up.

david45 · December 19, 2019, 11:47pm

I’m sorry Matteo, where is the TLS certificate?

Everything else is working fine, only the health check is giving an error.

Thank you,
David.

matteo · December 19, 2019, 11:48pm

What is the URL you are checking? The TLS certificate should installed either at your host or in Cloudflare (but it shouldn’t be an issue in this case).

sdayman · December 19, 2019, 11:55pm

I wonder if there’s something wrong with the hostname that’s set in the Health Check. Can you post a screenshot of the Health Check? It’s ok to black out the IP address.

david45 · December 19, 2019, 11:56pm

I think I understand.

Before we switched to Cloudflare, the site used auth.westerncentralny.aaa.com and the SSL certificate in the server is a wildcard for *.westerncentralny.aaa.com.

When we switched to Cloudflare, we couldn’t use a subdomain of aaa.com, so we created a new domain at westerncentralnyaaa.com (no dot before the aaa.com). However some of the site is still using westerncentralny.aaa.com so we couldn’t change the server certificate.

So is that the problem? What I call the SSL certificate (which I guess is technically TLS) is different from the URL.

Many thanks,
David.

matteo · December 19, 2019, 11:59pm

I presume you are going directly to the origin with the check, with the new “on Cloudflare” hostname, but still using the old cert? Yep, that would be the problem. They both should be on the same cert or use two certs.

You can use a third-level subdomain on Cloudflare with a 10$/month paid cert on Cloudflare itself, if the issue is the NS that need to be the root ones then no solution a part from going the CNAME route (Business 200$/month plan, not really doable with a wildcard unfortunately).

david45 · December 20, 2019, 12:02am

Here’s the screenshot.

sdayman · December 20, 2019, 12:09am

Ah! There’s a little checkbox for “Allow Insecure” that says to not validate the certificate. That might fix it.

** The text below was my original reply and can be disregarded, but addresses some of my thoughts:

Try adding a “Header name” of: Host
and a Header Value of: auth.westerncentralny.aaa.com

I’m not entirely sure that will work, as I think about it. That’s more for the server’s benefit.

What SSL setting are you using? Is it just Full, or is it Full (Strict)?

david45 · December 20, 2019, 12:16am

I’ve “allowed insecure”, and the header name and value. Let’s see what that does.

Full or Full (Strict)? where do I look?

As you can tell, this isn’t my field but my developers have left for the evening.

Many thanks,
David.

sdayman · December 20, 2019, 12:23am

That’s part of “Overview” for SSL/TLS.

david45 · December 20, 2019, 12:28am

Thanks.

Full. (Not strict)

sdayman · December 20, 2019, 12:31am

Ok. That explains why your Health Check has that mismatch, and agrees with the setup you describe. Your server’s certificate doesn’t have the same name as your domain. Full (not strict) will use that certificate, but not care if it’s valid. Full (Strict) needs a valid certificate to work.