Universal SSL not working on my site

ssl

#1

When I first used Cloudflare, 5 months ago, the site worked flawlessly but now I can’t access my site with https. In my hosting site they say that the problem is from Cloudflare so I don’t know what to do know. When I try to enter to my site (boleinf3a.com) with https I get the error NET::ERR_CERT_AUTHORITY_INVALID, with the details:
Subject: CloudFlare Origin Certificate
Issuer: CloudFlare, Inc.
Expires on: 16 dic. 2032
Current date: 20 dic. 2017

What can I do? Thanks community.


#2

It works great for me!

That certificate you’re seeing would be a Cloudflare-issued certificate that’s installed on your origin server. So it looks like you’re directly connecting to your origin server.

Can you check your HTTP connection details in your browser’s Dev Tools window to see what IP address you’re connecting to? And some HTTP headers as well. You should see evidence you’re connecting to a Cloudflare server, but I expect you’ll see it’s a direct connection to your own web server.


#3

So, you can access the site with https?


#4

Yep! HTTP gave me a 301 over to HTTPS.


#5

I can’t enter the site with HTTPS but with HTTP even in incognito mode, what can I do?


#6

You’re probably trying to access your site from a computer on wifi or a local network.

Can you try connecting from your cellphone over the cellular network (not using WiFi). I think there’s some sort of local cache or DNS issue in your current setup.

I mentioned the Cloudflare Origin Certificate earlier. It looks like 4 days ago, you created this certificate. Do you remember how you did this? Normally, it’s something you would add to your web server.


#7

It started working 15 minutes later of this message but now is not working again. I can’t enter my site and subdomain art.boleinf3a.com cause the error ERR_TOO_MANY_REDIRECTS and I don’t know what can I do now.


#8

Subdomain appears ot be working for me. Might try flushing your DNS cache on your local machine and making sure that there isn’t a local DNS server you’re using which has different zone information from public DNS.


#9

If you got Flexible SSL with the “ERR_TOO_MANY_REDIRECTS” error this is a redirect loop.

Cloudflare’s Flexible SSL option can cause redirect loops when combined with certain configurations. Because all requests are sent to origins over HTTP when Flexible SSL is selected, an origin configured to redirect HTTP requests to HTTPS will cause a redirect loop, causing browsers to display “The page isn’t redirecting properly” or “ERR_TOO_MANY_REDIRECTS”.

If you encounter this, you will need to remove redirects at your origin. Look for RewriteRules in Apache or rewrite directives / 301 return directives in nginx and remove them to clear the issue.

You can replace this configuration with an Always Use HTTPS page rule to redirect all users to HTTPS without creating a loop:


Scroll down till: Always use HTTPS


Set that to ON


Purge Everything


#11

Thanks for your reply.

First I deleted my htaccess file (the site was accesible again, no https).
Did what you said and boleinf3a.com and art.boleinf3a.com is not accesible agian (ERR_TOO_MANY_REDIRECTS). What can I do now?


#12

I can normally see: http://art.boleinf3a.com/


& http://boleinf3a.com/

There is one case that the issue is on your Computer if you can’t see the websites.
Try to Clear your web browser’s cache, cookies, and history
Try this guide
restart your router and your PC, and try to enter again.

I’m not sure if you have properly installed the Certificate…You should try again and follow Cloudflare’s guide


#13

Can you describe to us, from the beggining how you installed the SSL Certificate, with details?


#14

Also here are some more details:
check here
Your certificate looks good to me:
`~$ curl --insecure -v https://boleinf3a.com 2>&1 | awk ‘BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }’

  • SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni139346.cloudflaressl.com
  • start date: Dec 21 00:00:00 2017 GMT
  • expire date: Jun 29 23:59:59 2018 GMT
  • issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
  • SSL certificate verify ok.
  • Connection #0 to host boleinf3a.com left intact
    --
    ~$ curl -vvI https://boleinf3a.com
  • Rebuilt URL to: https://boleinf3a.com/
  • Trying 104.28.14.201…
  • TCP_NODELAY set
  • Connected to boleinf3a.com (104.28.14.201) port 443 (#0)
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni139346.cloudflaressl.com
  • start date: Dec 21 00:00:00 2017 GMT
  • expire date: Jun 29 23:59:59 2018 GMT
  • subjectAltName: host “boleinf3a.com” matched cert’s “boleinf3a.com
  • issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
  • SSL certificate verify ok.

HEAD / HTTP/1.1
Host: boleinf3a.com
User-Agent: curl/7.55.1
Accept: /

< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Fri, 22 Dec 2017 10:25:32 GMT
Date: Fri, 22 Dec 2017 10:25:32 GMT
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
< Connection: keep-alive
Connection: keep-alive
< Set-Cookie: __cfduid=df174eb3482fd85066847402d902d877c1513938332; expires=Sat, 22-Dec-18 10:25:32 GMT; path=/; domain=.boleinf3a.com; HttpOnly
Set-Cookie: __cfduid=df174eb3482fd85066847402d902d877c1513938332; expires=Sat, 22-Dec-18 10:25:32 GMT; path=/; domain=.boleinf3a.com; HttpOnly
< Location: http://boleinf3a.com/
Location: http://boleinf3a.com/
< Server: cloudflare
Server: cloudflare
< CF-RAY: 3d1260b0fda75cb7-ATH
CF-RAY: 3d1260b0fda75cb7-ATH

<

Most probably there is some wrong configuration in your Cloudflare’s settings (?)


#15

So, you can access the site with https? I can enter art.boleinf3a.com with https successfully but I can’t access to boleinf3a.com with https, auto redirects me to http. What can I do?


#16

Your webserver is redirecting the response when Cloudflare attempts to connect over SSL to http. You can see this by substituting your IP address of your origin server here and hitting it directly:

curl -Ik --resolve boleinf3a.com:443:your.ip.address.here https://boleinf3a.com/
HTTP/1.1 302 Found
Date: Sun, 24 Dec 2017 22:52:00 GMT
Server: Apache
Location: http://boleinf3a.com/
Content-Type: text/html; charset=iso-8859-1


#17

So, what can I do? If I activate the rewrite HTTP to HTTPS or the Always HTTPS it results in ERR_TOO_MANY_REDIRECTS. I don’t know what to do. Thanks


#18

Do you have your SSL here set to Full? I think that setting it to Flexible may fix this problem.

Also…do you have some sort of SSL certificate set up on your server?

What I think is happening is your server redirects HTTPS traffic to HTTP, but Cloudflare is set to Full so it’s trying to reach your site via HTTPS. So your site redirects to HTTP, then Cloudflare tries again to use HTTPS because of the Full setting, causing Too Many Redirects.


#19

Ideally you’d have your hosting provider configure your origin server to accept connections over SSL (and stop redirecting to the http version of the site) and install a Cloudflare origin certificate (available on the crypto tab) on the origin server.

As @sdayman points out flexible SSL is also a workaround which would so SSL to cloudflare’s edge but not encrypt the traffic from Cloudflare to your origin. It’s obviously less secure but we can’t establish a secure connection to the origin, because the origin forces us to http when we try.


#20

Tried your solution. Could access with HTTPS the main site but all the other subdomains now have ERR_TOO_MANY_REDIRECTS, tried just with Flexible SSL but the result is the same. What can I do? In my hosting service they say that the problem from Cloudflare.


#21

If the main site works, but the subdomain has too many redirects, then they’re not configured the same way.

  1. Is everything hosted on the same server?
  2. Do any of your sites have an SSL certificate installed on your server?
  3. Do you have any Page Rules set up here at Cloudflare?

Look around for any .htaccess or other settings that redirect HTTP to HTTPS or vice-versa. Make sure all your sites behave the same way.

Next step may be to set up a Page Rule to use a different SSL setup (Full vs Flexible) for your subdomains to stop the redirect loop.