Someone suggested it might happen with embargoed TLDs, but this TLD is not embargoed (.com.br)
Then others, without providing a proper explanation just shun the problem in favour of installing a Let’s Encrypt.
But then, it is only free for the first certificate and the following certificates are paid? so In the end there is only one grace certificate before I need to pay for this service?
The earlier I know about this, the earlier I will need to reconfigure all my structure to remove the Cloudflare SSL/TLS features in favour of Let’s Encrypt. I was using this to facilitate but if I need to renew the certificate somewhere else, I just do it there and not here (again).
Can anyone clarify why this was not renewed and what is the actual policy here?
Each time you disable universal ssl, the certificate is removed; each time you enable universal ssl again, a new certificate is issued. If you do that toggle often, it does seem to confuse things. What issue are you encountering, a 526 error?
Yeah I may have skipped some background information, which is not obvious for you. Sorry for that.
But since this was configured a year ago (the SSL part) this was not changed.
The Website itself is on Cloudflare for multiple years now and there weren’t any changes for more than a year, so the only thing that really happened is that the certificate expired and the site is prevented from working with the bogus cipher error… it took me some time to figure out the very absconded reason that the edge certificate didn’t exist.
After reading a few posts I tried the “disable Universal SSL” wait a few minutes and re-enabled… then the certificate appeared with the expired message… I have tried a couple of more times the button with multiple minutes between changes, but the only thing that happens is what we you can see on the screenshot.
So maybe tomorrow morning something changes… I will inform about it as I re-enable again tomorrow.
Thanks for the swift reply anyway, glad to see the community is useful.
So I suppose there will be no solution for this situation then?
It feels like there is a bug, for some reason some certificates are just getting boggled when renewing (as I see other people apparently with the same problem…) , and Cloudflare is not very interested in giving support to non-paying users.
Then it looks the only solution is to delete the website and recreate again?
Does anyone know how long I would need to wait until the whole configuration is clean from Cloudflare servers so I can create it all over again without conflicts? Because right now, even with the whole SSL configuration undone / disabled, Cloudflare is still enforcing broken SSL configuration which is pretty much bananas.
hi @domjh could you elaborate a bit more on this solution?
What does that entail? This will only change the certificate on the Cloudflare side and Cloudflare supposedly will try to emit another cert or I will need to emit a lets encrypt , change my whole config including the CA on Cloudflare?
Im not sure what this means… for me it sounds like the same as disabling all the Cloudflare SSL system and using a LE on my own on the server.
Cloudflare uses several different CAs to issue Edge Certificates, this forces them to try and issue one with a specific CA in case one is failing for some reason. It shouldn’t be required but we have seen it work several times before here. If it’s currently trying to issue a Digicert certificate, for example, and that fails then you can make it try a Lets Encrypt one.
This doesn’t require you to change any certificate on your server, the one there can be from any CA, it’s also not the same as pausing Cloudflare and using your server certificate. The certificate will still be served from Cloudflare’s edge, it would just be a cert from a different CA.
Ok, I’ve tried and there are absolutely no changes.
The expired certificate still stuck in “error state”
I will wait until the end of this week, if no solutions come from Cloudflare I will delete the website completely and try again.
And I will start to think in removing this functionality from all of my sites, because this has been no fun… I am offline for almost 3 weeks now… and there is nothing I can do on the Cloudflare side, so better not to depend on them.
It’s giving an “or” option. Maybe you can use get a free universal ssl through letsencrypt using certbot. You can get them for free. Does Cloudflare have email support on the free accounts or is it all community support?
Here’s a tutorial that shows you how to use letsencrypt to get a universal SSL using a DNS challenge. If you’re not self hosting, it might be even easier because you could just use port 80, but this should work to get you a valid certificate you can provide to Cloudflare to secure your site.
Hi @domjh so now, after a couple of days that I have changed the CA, the problem still persists and the expired certificate still stuck.
Right now I just tried to delete the domain from Cloudflare and after a couple of minutes I added him again, and then, surprise surprise… the certificate is still there, stuck in error.
Hence my question again, do we know how long it takes for Cloudflare to clean up these configurations? is it 24 hours? 48 hours?
You said earlier that you have added this problem to the “community escalation” so someone can review… is that any feedback on that?
I’m kinda running out of options here.
I already realise that if I add Let’s Encrypt on the website side and let Cloudflare forward HTTPS connection will also not work because the configurations for SSL on Cloudflare side are broken and enforcing things that I cannot disable.
So there are only two solutions possible, as I see it now…
disable all the proxy from Cloudflare and send it directly to the website in HTTPS (which is almost the same as not using Cloudflare)
remove the website completely from Cloudflare including Nameservers
So the part I am afraid is that this will repeat itself in other websites that have more complex configurations, this one is very simple so I can do without Cloudflare, but others would be a major loss.