Universal Edge Certificate reset?


Somewhat uncommon happened with one of domains I maintain with help of Cloudflare

Long story

At night I received a notification from Transparency Report feature that someone issued a new certificate for our domain at Letsencrypt

Due to the fact that I didn’t know that Cloudflare uses Letsencrypt for managed certificates (I believed that only DigiCert is used currently plus there is no Cloudflare branding in Letsencrypt certificates) and because this domain has a history I had a reason to suspect something nasty was happening

I revoked certificate via Letsencrypt and everything looked fine. Just until revocation propagated properly and users started reporting that they cannot access a website

I was very surprised when I found that the certificate I revoked was used by Cloudflare as Universal Edge Certificate

But I couldn’t find any means to reset or re-install certificate. Revoked certificate looks just fine for Cloudflare services

Since that was a free plan I couldn’t contact support to help me out (ticket just being closed by bot each time)

tl;dr; I revoked Universal Edge Certificate which is managed by Cloudflare for my domain

The only way I could fix it quickly by purchasing Advanced Certificate Manager (https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager) and by ordering a new certificate there
(Just in case if someone will need a quick solution in similar circumstances)

But I’m still wondering if there is any better or “correct” way to fix this issue?

I’m thinking about something like:

  • some feature (API call?) to trigger a renewal for an existing certificate;
  • periodical checks (which just not triggered yet) inside Cloudflare which will find that certificate has been revoked and this will cause a renewal;
  • some ‘trick’ to reach support team and get it fixed

I think that $10/month (current price for Advanced Certificate Manager) for 90-days life span of Letsencrypt certificate is a fair price for being kind of stupid and revoking valid certificate in use, but anyway :slight_smile:
Shouldn’t it be a better way for ones out there who is using Free plan (for any reason)?



Am I understanding you correctly, you revoked the certificate out-of-band, directly with Let’s Encrypt (presumably via some sort of domain validation)?

I’d first try the usual way of disabling Universal SSL, waiting for 20 minutes, and then re-enabling it. Though I cannot guarantee at this point if Cloudflare would actually get a new certificate issued - and if they don’t, you’ll still have the revoked certificate.

Should that be the case you could really only go for ACM or contact support and have them force a new certificate issuance.

Yes, certificate was revoked manually via certbot

Disabling and re-enabling SSL was the first thing I tried. But I didn’t wait for 20 minutes (3-5 minutes tops)
I dropped this idea as soon as I saw that disabling SSL completely didn’t wipe out managed certificate (I could still see Universal Certificate in dashboard and there were no sign of it going anywhere :slight_smile:)

Anyway thanks for the input! I think I will try this on a separated domain just to see if this works

Waiting a bit longer would be a good idea, but again, there’s no guarantee and based on your experience Cloudflare will probably just reinstate the certificate. In that case support really will be the most viable option.

And yes, you did choose an unorthodox approach to get the Universal certificate down :smile:.

Otherwise you could probably just purchase ACM for the time being and enable Universal SSL again once the certificate is up for renewal. That should get you a valid Universal certificate too.

Turning the SSL Mode to off does not disable Universal SSL, they are two separate settings.

Honestly, I think this is such an edge case that it could not be engineered against efficiently. And you would end up in a situation with somebody screaming from the rafters that Cloudflare keeps renewing certificates that have been revoked! There have been many more people complaining that they did not authorise CF to issue certs (even though they moved their DNS to CF) than people revoking them.

Outside of your shotgun-foot moment, what are the other use cases? I would expect lots of people would force renewal of their certs for no reason other than “I like to have at least 12 months on my certs”. What I’m hoping for is that CF start to reduce the default certificate lifetime to 90 days, and maybe eventually get to short-lived certificates of 24 to 72 hours.

This post was flagged by the community and is temporarily hidden.

Yes, you’re right! Thanks. I missed this setting completely

So that would be an answer: all what’s needed is to disable Universal SSL and enable it back
This removes currently installed certificate and re-enabling causes issuing of a new one

That’s precisely what I was referring to. The encryption mode is unrelated to the certificate.

1 Like

Yeah, my mistake, sorry. I should have been looking better
Thank you :handshake:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.