Someone suggested it might happen with embargoed TLDs, but this TLD is not embargoed (.com.br)
Then others, without providing a proper explanation just shun the problem in favour of installing a Let’s Encrypt.
But then, it is only free for the first certificate and the following certificates are paid? so In the end there is only one grace certificate before I need to pay for this service?
The earlier I know about this, the earlier I will need to reconfigure all my structure to remove the Cloudflare SSL/TLS features in favour of Let’s Encrypt. I was using this to facilitate but if I need to renew the certificate somewhere else, I just do it there and not here (again).
Can anyone clarify why this was not renewed and what is the actual policy here?
Each time you disable universal ssl, the certificate is removed; each time you enable universal ssl again, a new certificate is issued. If you do that toggle often, it does seem to confuse things. What issue are you encountering, a 526 error?
I’ve seen similar instances in the past where the underlying cause was a change in nameservers away from Cloudflare that prevented us from re-issuing the certificate.
I see the site is confirmed and whois returns the cf nameserver and this tool shows them as mostly propagated
let us know when you do and we can keep an eye on progress
Yeah I may have skipped some background information, which is not obvious for you. Sorry for that.
But since this was configured a year ago (the SSL part) this was not changed.
The Website itself is on Cloudflare for multiple years now and there weren’t any changes for more than a year, so the only thing that really happened is that the certificate expired and the site is prevented from working with the bogus cipher error… it took me some time to figure out the very absconded reason that the edge certificate didn’t exist.
After reading a few posts I tried the “disable Universal SSL” wait a few minutes and re-enabled… then the certificate appeared with the expired message… I have tried a couple of more times the button with multiple minutes between changes, but the only thing that happens is what we you can see on the screenshot.
So maybe tomorrow morning something changes… I will inform about it as I re-enable again tomorrow.
Thanks for the swift reply anyway, glad to see the community is useful.
Or shall I say… there was no results. The certificate is stuck, expired, lonely and disabling my website as it seems he is still forcing HTTPS even after I disabled everything.
So the solution is to delete the entire website and recreate again?
I think there is a bug somewhere that is worth investigate, isn’t?
So I suppose there will be no solution for this situation then?
It feels like there is a bug, for some reason some certificates are just getting boggled when renewing (as I see other people apparently with the same problem…) , and Cloudflare is not very interested in giving support to non-paying users.
Then it looks the only solution is to delete the website and recreate again?
Does anyone know how long I would need to wait until the whole configuration is clean from Cloudflare servers so I can create it all over again without conflicts? Because right now, even with the whole SSL configuration undone / disabled, Cloudflare is still enforcing broken SSL configuration which is pretty much bananas.
I’ve added this issue to the community escalation queue for a support engineer to review. I have checked several common issues and can’t see why this isn’t working for you.
If you want to try something else, you could force the CA to Let’s Encrypt in case it’s just an issue with Digicert.
hi @domjh could you elaborate a bit more on this solution?
What does that entail? This will only change the certificate on the Cloudflare side and Cloudflare supposedly will try to emit another cert or I will need to emit a lets encrypt , change my whole config including the CA on Cloudflare?
Im not sure what this means… for me it sounds like the same as disabling all the Cloudflare SSL system and using a LE on my own on the server.
Cloudflare uses several different CAs to issue Edge Certificates, this forces them to try and issue one with a specific CA in case one is failing for some reason. It shouldn’t be required but we have seen it work several times before here. If it’s currently trying to issue a Digicert certificate, for example, and that fails then you can make it try a Lets Encrypt one.
This doesn’t require you to change any certificate on your server, the one there can be from any CA, it’s also not the same as pausing Cloudflare and using your server certificate. The certificate will still be served from Cloudflare’s edge, it would just be a cert from a different CA.
Ok, I’ve tried and there are absolutely no changes.
The expired certificate still stuck in “error state”
I will wait until the end of this week, if no solutions come from Cloudflare I will delete the website completely and try again.
And I will start to think in removing this functionality from all of my sites, because this has been no fun… I am offline for almost 3 weeks now… and there is nothing I can do on the Cloudflare side, so better not to depend on them.
Hello! I am having the same issue than you, I could find this topic in the forum that explains that can be happening:
User ceo2 says that this what Cloudflare support told him:
"The certificate did not renew because the previously the certificate CA was Digicert,
however Cloudflare is migrating out from Digicert, hence the cert did not renew.
Apologies for the inconvenience caused, you should not be seeing the same issue again for the same domain."
This user have paid account so he could send a ticket but we can not. I am going to create a new topic in forum to try that Cloudflare support team fix my certificate too. Goog luck!.
It’s giving an “or” option. Maybe you can use get a free universal ssl through letsencrypt using certbot. You can get them for free. Does Cloudflare have email support on the free accounts or is it all community support?
Here’s a tutorial that shows you how to use letsencrypt to get a universal SSL using a DNS challenge. If you’re not self hosting, it might be even easier because you could just use port 80, but this should work to get you a valid certificate you can provide to Cloudflare to secure your site.
Hi @ceo2 I looked into the billing page, I could not find a place where I can send anything to Support, there are no link to create tickets or anything like that.
If you see something that I don’t, would you be so kind to provide a screenshot to show where this is possible?
This issue is being looked at as we speak, there’s no need to create a ticket to a different team. That will just slow the support process for everyone.
Hi @domjh so now, after a couple of days that I have changed the CA, the problem still persists and the expired certificate still stuck.
Right now I just tried to delete the domain from Cloudflare and after a couple of minutes I added him again, and then, surprise surprise… the certificate is still there, stuck in error.
Hence my question again, do we know how long it takes for Cloudflare to clean up these configurations? is it 24 hours? 48 hours?
You said earlier that you have added this problem to the “community escalation” so someone can review… is that any feedback on that?
I’m kinda running out of options here.
I already realise that if I add Let’s Encrypt on the website side and let Cloudflare forward HTTPS connection will also not work because the configurations for SSL on Cloudflare side are broken and enforcing things that I cannot disable.
So there are only two solutions possible, as I see it now…
disable all the proxy from Cloudflare and send it directly to the website in HTTPS (which is almost the same as not using Cloudflare)
remove the website completely from Cloudflare including Nameservers
So the part I am afraid is that this will repeat itself in other websites that have more complex configurations, this one is very simple so I can do without Cloudflare, but others would be a major loss.
