All DNS records for my domain are except the following:
ns1.example.com (private nameserver’s A record) ns2.example.com (private nameserver’s A record) mail.example.com (MX hostname’s A record)
These NEED to be in order to resolve correctly for their intended purpose. As a consequence, they are not covered by the Universal SSL so the browser loads Cloudflare Origin SSL and displays the warning NET::ERR_CERT_AUTHORITY_INVALID.
Is there any way around this error other than adding the valid CA-issued certificate? I’ve tried creating redirects on my web host for these URLs to redirect them to the domain’s apex example.com . Redirect works for the HTTP version, but not for HTTPS where again I’m faced with the same invalid SSL error. It seems as though the browser first checks for SSL and then considers/disregards the redirect.
These nameserver and mail URLs don’t have any direct purpose to be visited by anyone, so is this really a thing to be concerned about or should I just leave them “unsafe” in the browser’s eyes?
Yes, the SSL is part of the connection process which comes before any data, including a redirect, can be delivered for obvious reasons.
Without the certificate being validated, your users may accept any certificate including one from a third-party that has intercepted their connection. It is insecure and you shouldn’t do it. Just apply a LetsEncrypt certificate.
Thank you! The thing is that I’m on cPanel and it uses a feature called AutoSSL that automatically installs Let’s Encrypt certs. But there are a few problems with it.
It wont renew the cert if “Always Use HTTPS” is enabled. So you have to disable it and then renew it. Imagine doing that manually for 50+ domains. Plus not certs expire at the same time.
There is also another issue native to cPanel where if you have multiple domains, AutoSSL randomly combines hostnames in certs from all domains you own. Although when hostname gets covered by the SSL, Common Name may not display that hostname but hostname from a completely different domain.
Yes, the acme challenge stuff requires HTTP. You can use the DNS method with the Cloudflare DNS plugin with certbot and it get round that and works nicely when set up in a script - we do 10s of certificates this way with a single command. Uses the Cloudflare API to insert, then delete, the _acme-challengeTXT records for you. Easy for multiple certificates.
With Let’s Encrypt you can disable Always Use HTTPS and leave it off. You can handle the redirect to HTTPS in your origin or with other rules at Cloudflare. You need to make sure that you exempt the path by ACME clients which is /.well-known/acme-challenge.
I don’t know if AutoSSL can be similarly managed. It might be worth searching the cPanel forums.
You may also be able to use AutoSSL only on the hostnames and exclude the ones using the Cloudflare Origin CA certificate.
Just when I thought I had everything figured out after months of hard work, records came along.
I’m not planning to use AutoSSL due to the mentioned issues. But I might consider installing the Let’s Encrypt via certbot.
So to confirm, for records: If I use Let’s Encrypt (or any other CA that uses ACME validation) I can’t use Always Use HTTPS, but I need to create a redirect rule to force HTTPS while exempting the /.well-known/acme-challenge.
For records I need to create the same rule at my origin?
@epic.network, while I was researching your last answer the topic has closed. I’m continuing it here to finalize everything. I read your post from Let’s Encrypt about excluding the ACME path for validation to work. So you’re turning off cache and SSL options for this path:
Automatic HTTPS Rewrites: Off
Browser Integrity Check: Off
Opportunistic Encryption: Off
Security Level: Essentially Off
I don’t see an option for also turning off the Always Use HTTPS option for the ACME path in the Configuration rules, which means it needs to be disabled globally. You said that you handle HTTPS redirects at the origin, but I still wish to configure them at Cloudflare. So I need to configure a redirect rule to force HTTPS but with the ACME path excluded. I will post my results when I’m done.
Since Let’s Encrypt SSL covers domain and 1st-level subdomains with a wildcard, is it required that /.well-known/acme-challenge/ path is accessible through each subdomain besides the apex? For example: