Universal SLL activated but got SSL certificate invalid

There’s always an alternative. Bottom line is, your current choice refuses to provide you with a secure solution. If you do not change provider you’ll have an insecure site. I am afraid that’s it. @domjh already elaborated on the technical details.

2 Likes

I can’t really add more than what @domjh said. It’s a really good reply. Just change provider, immediately.

Don’t do what they are saying and they should really be ashamed of asking credentials. That’s a very big no-no.

It’s a really terrible thought that they have other customers doing anything, especially regarding payments, with that set-up.

2 Likes

Considering they are around here, maybe @pabbly can elaborate why they keep their customers on broken encryption and what they plan to address that.

1 Like

Ok thank you for perfect explanation @domjh
it really helpful

Thanks also @sandro @matteo for help me out

Now I’ve give another cloudflare account with unused domain connected, so they cannot use we-must-have–access-to-your-cloudflare-account reason to escape from this situation

With this, i hope they can get some time to solve this problem,

or… maybe is there anyone in this forum can help them doing that?
Its really weird the way they solve my problem. Even not tech savvy guy like me understand they are doing nothing to solve this problem

I’m think maybe technical guy who understand SSL in their side already left the company or something so they don’t have capable person to solve this.

It can be opportunity to you guys to offer them services?

This is still a very bad idea.

They don’t want to solve the issue. They want to run with their non-secure setup as it’s cheaper to maintain. Relatively, as it costs little to nothing regardless, but it has some configuration to create it.

3 Likes

I understand you gave them a dummy account but generally speaking I can only emphasise what @domjh and @matteo already wrote, to never ever hand out your access credentials to anyone. Not only on Cloudflare, everywhere and to no one.

That being said, I highly doubt they will configure a secure environment for you, even now that you gave them your data.

Once they are “done”, check your encryption mode. If it is not “Full Strict”, you’ll be still on an insecure setup

3 Likes

Thank you for your feedback @sandro and @matteo

Hope they get me new update, if they can’t do that, i will try offer them to get help from expert. I’ll let you know once they give me update.

Hello! finally i got update from Pabbly and here is the SSL they’ve configured

Here the SSL they’ve succeeded configured for me by request the credential

I’m not sure is this SSL is safe or not
https://payments.sainttechnologiesindonesia.com/subscribe/60f13bd841191f43bcae75a5/trident-mapping

Could anyone check for me? Im not quite understand why for this domain they can, for my other domain si.co.id they can’t.

Thanks for help

Hi again @j3project,

The way to check this is to log into the account with that domain, go to SSL/TLS → Edge Certificates and see what mode it is set to.

Unless it’s Full (Strict) then it’s not fully secure.

It should look like this:

1 Like

@sandro @domjh


what do you think?

Not secure, and especially bad for a payment provider. Cloudflare is not validating the server certificate, so you would be vulnerable to an attack there as any certificate would be accepted, whether it’s for your domain or not.

Pabbly need to get their SSL setup sorted properly instead of getting Cloudflare to mask their lack of certificate for your domain.

1 Like

Precisely what I said earlier.

And it’s precisely what we have been mentioning for the past few days so far and what @domjh and @matteo already addressed. Your provider is unable to provide a secure environment and wants to hide that behind Cloudflare.

1 Like

Ok thanks for your help and advise guys. Glad found this community. Hope i can find alternative better solution in the future, hope someone can give me suggestion regarding subscription tools and payment gateway in the future

Have a nice weekend guys @sandro @domjh @matteo

2 Likes

So you are staying with your current provider and its insecure mode?

Yes, I’ve no choice right now. I’m figuring out an alternative solution.
Find a payment gateway services that can be integrated with local payment services in Indonesia, and offers LTD with affiliate module included is not quite easy. But now I’m still doing research and looking for alternatives.

By the way, could you give me some examples of what’s bad things can happen to me using their unsecured setup?

I want to know some worst possibilities

Attackers can perform a MITM attack on the connection between Cloudflare and the origin server, which can cause leakage of data such as credit card number, username and password.

1 Like

@erictung already mentioned the main part. Essentially what I already described at the link I posted

Would you continue loading a site if you get a certificate warning? That’s the setup you currently have.

Cloudflare does not validate the certificate and will accept any it is presented with. Anyone who has access to the line to your server will be able to present their own certificate (which Cloudflare will gladly accept) and intercept and record your traffic along with all payment related data.

2 Likes

Your transport encryption is now essentially as good as any random self-signed certificate and has the same level of “security”.

Apologies for putting it in such a blunt fashion, but your encryption is basically worthless at this point. You have some “encryption” but that could be “encrypted” by anyone and you won’t even notice.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.