The application that I am most concerned about is normally visible at https://secure.boghthillspta.org/ Dreamhost creates an automatic A record to bypass (https://resolve-to.secure.boghthillspta.org/) Currently SSL is working on the bypass record (with the expected SSL warning about a hostname mismatch). The app I have created will tell you that your routing is invalid because I detect the Cloudflare bypass - but that means that my application is working properly on the bypass address.
To this point, I have already tried:
Pausing Cloudflare on my site and verifying that the application worked properly - which it does
Changed the Proxy settings for secure.boghthillspta.org to off - waiting 15 minutes and then turning it back on
I have switched the Security policy from “Full (strict)” to “Flexible” then waited 15 minutes and re-enabled “Full (strict)”
I have verified with my hosting company (Dreamhost) that the Let’s Encrypt certificate on my domains is valid - and they even manually renewed them just to be sure
I have disabled Universal SSL to see if I could use the Dreamhost created Let’s Encrypt certificate - which failed
I have re-enabled Universal SSL and I have now waited over 24 hours but the hosts are still “Pending validation (HTTP)” and only HTTP is being served on port 443.
The hostname secure.boghthillspta.org has been working on Cloudflare for the past several (at least 5) years without any trouble.
The SSL error is persistent across multiple devices, browsers and network connections.
Here is the error screenshot taken in Chrome on Linux.
These domains, as 2nd level subdomains, are not covered by universal SSL. You need to buy Total TLS if you want these domains to work with Cloudflare.
It seems like you have not changed your nameservers yet. Until you do so, the zone will not become active on Cloudflare, and the certificate will remain in a pending status.
boghthillspta.org. 3600 IN NS ns2.dreamhost.com.
boghthillspta.org. 3600 IN NS ns1.dreamhost.com.
boghthillspta.org. 3600 IN NS ns3.dreamhost.com.
;; Received 113 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 32 ms
This domain is added to Cloudflare as a partial zone. It seems like whoever managed that domain for you removed it from Cloudflare. Hard to say without knowing what exactly the domain was used for.
secure.boghthillspta.org. 300 IN CNAME secure.boghthillspta.org.cdn.cloudflare.net.
;; Received 174 bytes from 162.159.27.84#53(ns3.dreamhost.com) in 120 ms
This domain is hosted through Dreamhost. Dreamhost is a Cloudflare partner, so I am supposed to use the Dreamhost DNS servers and they push their configuration to Cloudflare. Therefore, the DNS servers and the domain alias to _____.cdn.cloudflare.net is also correct.
This service worked flawlessly up until I noticed this SSL error yesterday.
In continuing trying to debug this myself, I have since:
Disabled most HTTPS redirect options (in case that was blocking the HTTP validation)
Added a CNAME record to my DNS to support DCV validation (since I saw this new setting in the Edge Certificates section)
However, neither of these seems to have helped validate my SSL certificate issues. In the past (on a different domain that was fully hosted) - I had a situation like this happen. At that time, @TKlein and @salvador both helped. I am not sure this is exactly the same (the other domain had an expired certificate that did not self-renew) and this is a validation issue - but maybe one of them can help.
Are they? They were in the past, but all the information on their website says you need to change your nameservers manually if you want to use Cloudflare. I cannot find any indication that they are still partnering with Cloudflare, except as members of the bandwidth alliance.
Interesting. DreamHost has not informed me that their partnership with Cloudflare ended. I have been with them for over 9 years, so it is possible that the plan I am on simply is not supported any longer, though.
Thank you for the suggestion. I will reach out to them to see what their status is.
Please close this question. I spoke to Dreamhost and while they still appear to have an integration with Cloudflare, it really seemed like they preferred if I set up Cloudflare myself. Therefore, I am going to convert my zone to a fully managed Cloudflare zone and see if I can resolve the problem myself.
