Universal SLL activated but got SSL certificate invalid

Don’t have another for now :frowning:

I completely agree. Their screenshot guide does reference an onder version of the Cloudflare dashboard, but how the products work has not fundamentally changed. Purchasing a new domain won’t help in this case, nor does the domain need to be transferred to Cloudflare.

Based on the messages I have seen, I would have to agree.

Let me try to explain this, please just ask if you want me to clarify something.

Cloudflare is a proxy service, this means that if you use Cloudflare, they sit between your customers and your website. If I visit a website using Cloudflare, I will connect to Cloudflare and then Cloudflare will connect on to your website and pass the data back to me.

For HTTPS to work on a site, an SSL/TLS certificate is required. This essentially authenticates your website and is really important. Because of the way Cloudflare works, two SSL/TLS certificates are needed. As I mentioned earlier, there are two parts to the connection and a certificate is needed for each. One to secure the connection between the customer and Cloudflare (That’s the Cloudflare certificate) and one to secure the connection between Cloudflare and your server (That’s the server/origin certificate).
That’s represented by the two green lock icons here:

The way certificates work is that they are tied to a particular domain/hostname. This means that if I visit example.com, the certificate needs to be issues to example.com otherwise it is invalid. If the certificate was issued to provider.com instead, the certificate would be invalid and the connection would not be secure.

The way Pabbly is trying to get you to set this up would theoretically work, however it is not secure. This is because the certificate they present is for payments.pabbly.com not payments.si.co.id.

This is the certificate they present:

Going back to the diagram I showed earlier:

What it should be:

What Pabbly are suggesting:

What they are essentially wanting you to do is remove that second lock between Cloudflare and them. So your customers data would be secured as far as Cloudflare, but then unsecure between Cloudflare and Pabbly because they present an invalid certificate. This is never advisable and is terrible practice, especially for a payment provider.

P.S. Just to clarify, based on pabbly’s message, we aren’t Cloudflare staff, just other users experienced with using Cloudflare who are MVPs here on the community.

2 Likes

There’s always an alternative. Bottom line is, your current choice refuses to provide you with a secure solution. If you do not change provider you’ll have an insecure site. I am afraid that’s it. @domjh already elaborated on the technical details.

2 Likes

I can’t really add more than what @domjh said. It’s a really good reply. Just change provider, immediately.

Don’t do what they are saying and they should really be ashamed of asking credentials. That’s a very big no-no.

It’s a really terrible thought that they have other customers doing anything, especially regarding payments, with that set-up.

2 Likes

Considering they are around here, maybe @pabbly can elaborate why they keep their customers on broken encryption and what they plan to address that.

1 Like

Ok thank you for perfect explanation @domjh
it really helpful

Thanks also @sandro @matteo for help me out

Now I’ve give another cloudflare account with unused domain connected, so they cannot use we-must-have–access-to-your-cloudflare-account reason to escape from this situation

With this, i hope they can get some time to solve this problem,

or… maybe is there anyone in this forum can help them doing that?
Its really weird the way they solve my problem. Even not tech savvy guy like me understand they are doing nothing to solve this problem

I’m think maybe technical guy who understand SSL in their side already left the company or something so they don’t have capable person to solve this.

It can be opportunity to you guys to offer them services?

This is still a very bad idea.

They don’t want to solve the issue. They want to run with their non-secure setup as it’s cheaper to maintain. Relatively, as it costs little to nothing regardless, but it has some configuration to create it.

3 Likes

I understand you gave them a dummy account but generally speaking I can only emphasise what @domjh and @matteo already wrote, to never ever hand out your access credentials to anyone. Not only on Cloudflare, everywhere and to no one.

That being said, I highly doubt they will configure a secure environment for you, even now that you gave them your data.

Once they are “done”, check your encryption mode. If it is not “Full Strict”, you’ll be still on an insecure setup

3 Likes

Thank you for your feedback @sandro and @matteo

Hope they get me new update, if they can’t do that, i will try offer them to get help from expert. I’ll let you know once they give me update.

Hello! finally i got update from Pabbly and here is the SSL they’ve configured

Here the SSL they’ve succeeded configured for me by request the credential

I’m not sure is this SSL is safe or not
https://payments.sainttechnologiesindonesia.com/subscribe/60f13bd841191f43bcae75a5/trident-mapping

Could anyone check for me? Im not quite understand why for this domain they can, for my other domain si.co.id they can’t.

Thanks for help

Hi again @j3project,

The way to check this is to log into the account with that domain, go to SSL/TLS → Edge Certificates and see what mode it is set to.

Unless it’s Full (Strict) then it’s not fully secure.

It should look like this:

1 Like

@sandro @domjh


what do you think?

Not secure, and especially bad for a payment provider. Cloudflare is not validating the server certificate, so you would be vulnerable to an attack there as any certificate would be accepted, whether it’s for your domain or not.

Pabbly need to get their SSL setup sorted properly instead of getting Cloudflare to mask their lack of certificate for your domain.

1 Like

Precisely what I said earlier.

And it’s precisely what we have been mentioning for the past few days so far and what @domjh and @matteo already addressed. Your provider is unable to provide a secure environment and wants to hide that behind Cloudflare.

1 Like

Ok thanks for your help and advise guys. Glad found this community. Hope i can find alternative better solution in the future, hope someone can give me suggestion regarding subscription tools and payment gateway in the future

Have a nice weekend guys @sandro @domjh @matteo

2 Likes

So you are staying with your current provider and its insecure mode?

Yes, I’ve no choice right now. I’m figuring out an alternative solution.
Find a payment gateway services that can be integrated with local payment services in Indonesia, and offers LTD with affiliate module included is not quite easy. But now I’m still doing research and looking for alternatives.

By the way, could you give me some examples of what’s bad things can happen to me using their unsecured setup?

I want to know some worst possibilities

Attackers can perform a MITM attack on the connection between Cloudflare and the origin server, which can cause leakage of data such as credit card number, username and password.

1 Like

@erictung already mentioned the main part. Essentially what I already described at the link I posted

Would you continue loading a site if you get a certificate warning? That’s the setup you currently have.

Cloudflare does not validate the certificate and will accept any it is presented with. Anyone who has access to the line to your server will be able to present their own certificate (which Cloudflare will gladly accept) and intercept and record your traffic along with all payment related data.

2 Likes