Universal SLL activated but got SSL certificate invalid

Hi Cloudflare team and Cloudflare community

Try to setup for one of my subdomain for payment verification, then my SSL certificate is invalid,
Link: https://payments.s`Preformatted text`i.co.id

I have check the error with DNS diagnostic, but I’m not understand anything, I’m not tech savvy guy
Can anyone help me regarding the SSL activation?

Here the detail:

• I’ve enabled universal SSL for my domain si.co.id
• I want to set up custom domain with pabbly dot com, then follow their instruction here Custom Domain - Publishing Checkout Page for Pabbly Subscriptions
• I’ve setup subdomain using CNAME from payments.si.co.id to custom.pabbly.com
• I’ve made request to them and got my subdomain connected
• Here is one of my link https://payments.si.co.id/subscribe/60e867829649e64668027212/one-time-payment
• Then I visit I got message that my SSL is invalid
• What should I do? I’ve made discussion on forum https://forum.pabbly.com/threads/custom-domain-limited.1159/#post-5390 and they ask me to ask to Cloudflare directly
• I already have a meeting with them doing Zoom, they check DNS Cloudflare setting, and they also have no idea how to fix this since my universal SSL is activated in my setting

So am i missing something?

What i should do now to make SSL activated?

Really desperate about this, hope someone can help me

Thank you!

Hi @j3project,

Sorry to bounce you back where you came from, but this isn’t a Cloudflare issue. That subdomain is unproxied and going directly to Pabbly. The certificate they are presenting is issued to custom.pabbly.com and not your domain, that’s something they need to fix.

So, is there any advice that i can tell to the Pabbly team about how to fix their certificate issue?

After meeting for hours with them, they struggling to know the problem, maybe you some technical advice?

Thank you Domjh for help!

$ dig payments.si.co.id +short
custom.pabbly.com.
52.38.145.201

This shows where that hostname resolves to and that it’s not proxied by Cloudflare.

image822×842 18.6 KB

This looks like their default certificate, but if they support custom domains, then need to issue a certificate for the custom hostname payments.si.co.id and serve that instead, for HTTPS to work.

I’m afraid I can’t really say more than that, I don’t know anything about their setup and this is unrelated to Cloudflare. They just need to ensure that a valid certificate for your custom domain is presented.

Ok, i’ll forward to Pabbly according this. If they using cloudflare also, they should ask their support right?

Sure, feel free to send them a link to this thread. It looks to me like they are using GoDaddy and Amazon (or resellers of them), not Cloudflare.

They ask me to ask for our Cloudflare account credential, do you think it will fix the issue? Since the problem came from their side

This is their response

Unfortunatelly, our company wouldnt let me share credential due security issue. What are you suggestion?

I would never recommend sharing your account credentials with anyone. Only trusted parties should have access, and even then Cloudflare has the facility to invite users to an account without having to send your credentials.

This seems to be the post they are referring to → Need help on SSL activation

Reading through their docs, the way they want you to setup SSL at Cloudflare is not secure and simply hides the fact that they do not have a certificate for your domain. If they want to offer custom domains with HTTPS, they will need to provide that. Using Cloudflare as they describe it would encrypt the connection from your users to Cloudflare, but the certificate between Cloudflare and Pabbly cannot be verified as it is not valid for your site. This is an insecure setup, and is especially bad for a provider that appears to accept payments.

I can only second and emphasise that.

Your provider appears to have placed you on an insecure setup.

Im so frustated setting these things

So what I need to do to help Pabbly to resolve this issue?
Could someone give suggestion to Pabbly how to fix this?

The only suggestion I can offer is what I said yesterday, I’m afraid. Pabbly need to issue a certificate for payments.si.co.id on their end. You can then consider proxying through Cloudflare if you want, but the key thing is that there must be a certificate for your domain on Pabbly’s end.

Thank you for help domjh, really appreciate it.
Could you give the example how to issue a certificate for custom domain?

I think pabbly team need more helpful resource about this

If they want to use Cloudflare for this, they would want to look at SSL for SaaS
→ SSL for SaaS Providers | Cloudflare

Otherwise, they can use any CA to get a certificate. They already use Let’s Encrypt for their own site, which is completely free. They could also use that to issue certs for custom domains

Ok, i’ve forward this to Pabbly team. Will let you know soon when I got the answer

Emphasising this again, just for anyone coming across this. Never, never, never share your Cloudflare credentials with anyone and, ideally, never share API tokens as well, especially the global ones. Do create specific tokens for specific functionalities when required.

sry, wrong reply email and arrived here.

Thank you for remind me Matteo

I’ll never share the credential to them. Thank for your advice.
I think Pabbly is lack of technical expert in SSL right now since it seem they confuse with their SSL setting itself

They put their request in here also like this

It’s that they don’t want to deal with that pain and want to offload the issue to others, not caring about the actual security of the connection.

I saw @domjh and @sandro engaged. It’s gonna be fun.

Hope they can resolve this as soon as possible,

Thank you @domjh and @sandro and also you

Just realize you’re all legend in this community

Its pleasure to talk with you guys, hope i can contribute something in this community in the future

image1258×691 67.7 KB

I’ve just got new update from them.

I’m really sure that this case is not related to UI change and does not require any access to our CF account.

Should I buy a new domain account using another credential so they can make progress?

I don’t want to get stuck because all the reasons do not make sense to me.

I already give them solutions from you guys, @domjh @matteo
But they insist on getting the credential, and I worry they don’t have a tech team capable of understanding this situation and try to make reasons and impossible requirements that can hold me?

What if this case because the domain is not transferred to Cloudflare?
Should I transfer the domain into Cloudflare first instead connect using nameserver?
I’m trying hard to understand these technical things (I’m not a technical guy)

Strongly recommending to get another provider.