Why does my website at diagnosischeck.com still says unsecure even though I am paying for advanced edge certificates?

I don’t understand why my website still says unsecure even though I am paying for 2 Advanced Edge Certificates in my cloudflare account, Let’s Encrypt and DigiCert and My website domain is also registered with cloudflare. I selected “Always use HTTPS”. What else should I do? My website uses nginx webserver. I have already uploaded cloudflare’s original server certificate, so cloudflare can communicate with my server. What else should I do? Do I need to pay for the business plan for my website to show the secure padlock?

Kindly, may I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

And the domain name is diagnosicheck.com, diagnosticheck.com, diagnosticcheck.com, or rather some other?

I selected Fullstricted

1 Like

my typo. The website is diagnosischeck.com

May I ask, have you checked the DNS tab and looked up for the A diagnosischeck.com and A www hostnames if both are set to :orange: (proxied) or rather :grey: (DNS-only)?

For the A record I get your origin host/server IP, rather than the Cloudflare one:

QUESTION
diagnosischeck.com. IN A
ANSWER
diagnosischeck.com. 300 IN A x.x.x.24
AUTHORITY
ADDITIONAL

Furthermore, may I ask have you recently changed or developed something and temporary paused Cloudflare for your site by selecting Pause Cloudflare for this site option from Cloudflare Dashboard, or rather toggled the Development Mode?

Also seems to me I am not able connect to your domain over HTTPS (default port 443) either - is HTTPS working at your origin host / server and is the SSL certificate installed?

Maybe if you have some Firewall, which could potentially block the HTTPS port? Could you re-check this too?

I noticed that the A record with my content IP for diagnosischeck.com is DNS Only
and the CNAME www diagnosischeck.com is proxied
I this configuration correct?

Kindly, set both to :orange: (proxied) to make sure they are being proxied by Cloudflare.

Either, I prefer to use A www and A mydomain.com both pointed to the IP address (the Content value field) and both :orange: (proxied). Meaning, you would have to delete the CNAME www record and add another A www with the “Content value” of your server IP address (pointed to it) and :orange: cloud.

  • so you end up having two A type records, A www and A diagnosischeck.com both being proxied by Cloudflare (:orange: cloud)

In case if you need help with managing DNS records at the DNS tab of Cloudflare Dashboard for your domain name, kindly see below useful tutorials:

Furthermore, the https://www.diagnosischeck.com/ gives me the 1020 Access Denied error due to your Firewall Rules (which I assume are restricted by Country?, and seems Cloudflare is working ok, at least in terms for www prefix).

Ok, I changed both versions of the domain to proxied. How long will this take for my website to show secured with the padlock?

1 Like

I see it alrady now and it’s working - just again, I got Access Denied and cannot confirm if there are some other errors or issue showing.

In case you do not see it yet, kindly try clearing your Web browser cache, or try openning your Website (www and non-www) in another Web browser, or in a Private Window, or you could also try using a VPN connection (if available to you), or at least you could try using your mobile phone and mobile network data (cellular, EDGE, LTE …) to test it out.

  • otherwise, it could be some local DNS cache at your Internst Service Provider (ISP)

If you could temporary disable Firewall Rules, I could provide more feedback information regarding it.

Nevertheless, using online tools helped me to gather some more security feedback information about your www/non-www domain. You could check it yourself using tools provided by visiting below links:

Ok, thank you. I will watch to see if the unsecure status change after doing all the things you’ve mentioned. If needed, I will disable firewall rule so you can further investigate. Until then, thank you. Please leave this ticket open until my issue is resolved. Thanks.

1 Like

Sure! :slight_smile:
I am happy to assist you :wink:

Ok, I performed some Firewall rule on my server to allow all Cloudflare’s IP to access my server. Now, I configured my nginx server to handle HTTP and HTTPS. but, I am still not out of the woods yet. My website at diagnosischeck.com is giving me a “400 Bad Request”: “No required SSL certificate was sent”. “nginx/1.21.0”
Also, can you please tell me which country you are helping me from, so I can allow access to that country, so you can have a better view of my issue.
Here are the two nginx configurations that I combined and followed because I am running a python Flask website using uwsgi: How To Host a Website Using Cloudflare and Nginx on Ubuntu 20.04 | DigitalOcean

I uploaded the original certificate and the cryptographic file and key, and added the path to the nginx server block as explained in the tutorials above.
My nginx server is running ok because I tested it using the “nginx -t” command. Do I need to get the Cloudflare Pro service in order for the certificates to work on my server with my nginx server setup or can I just leave the setup the way it is? I am forced to activate the https or http2 server block because I have to be able to let nginx knows that I am running an ssl certficate don’t I not?

I still see 1020 Access Denied and unfortunately, cannot provide some feedback regarding it.

Furthermore, can you post a screenshot of this error?

Croatia :croatia: :wave:

Nevertheless, can you copy/paste your nginx block here (preformatted)?

May I ask are you using Cloudflare Origin CA Certificate, or rather your own self-signed, or maybe generated via certbot (Let’s Encrypt)?

This is great, the error you are getting sounds like something is missing or misconfigured.

Furthermore, did you also enabled Authenticated Origin Pulls?

If yes, then you might be missing something, at least the certificate from here:

Also, maybe you need to install/update ca-certificates package at your origin host / server.
In case if missing, here is the Cloudflare one:

See below link if so:

Can you re-check if you have got below line added (or set to on or off maybe)?:

ssl_verify_client on;

For the Nginx vhost file for your domain, a hand helpful configuration example (generated by the needed and selected options) can be found at the below link:

I like to keep it like below example from mine nginx vhost file for a domain:

server {
        # in case of origin redirection HTTP to HTTPS, keep in one block, later below we do redirect
        listen *:80;
        listen [::]:80;
        listen *:443 ssl http2;
        listen [::]:443 ssl http2;

        # TLS 1.2 and 1.3 only
        # intermediate configuration
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        ssl_protocols TLSv1.2 TLSv1.3;
        
        # SSL cert and key
        ssl_certificate /path-to-the-certificate/yourdomain.com.crt;
        ssl_certificate_key /path-to-the-key/yourdomain.com.key;

        # Cloudflare Authenticated Origin Pulls
        ssl_client_certificate /path-to-the/origin-pull-ca.pem; # find it here https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up#certificate-value
        ssl_verify_client on;

        # Mozilla config helpful
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
        ssl_dhparam /path-to-the-dhparam/dhparam-mozilla.pem;

        server_name yourdomain.com www.yourdomain.com;

        root   /var/www/yourdomain.com/web/;
        disable_symlinks if_not_owner from=$document_root;

        # actual redirection
        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }
        if ($http_host = "yourdomain.com") {
            rewrite ^ $scheme://www.yourdomain.com$request_uri? permanent;
        }
1 Like

server {
listen 80;
listen [::]:80;
server_name diagnosischeck.com www.diagnsosischeck.com;
# return 302 https://$server_name$request_uri;

location / {

include uwsgi_params;
uwsgi_pass unix:/home/my_username/diagnosischeck/diagnosischeck.sock;

try_files $uri $uri/ =404;
uwsgi_ignore_client_abort on;   

}

server {

# SSL configuration

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate  /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_client_certificate /etc/ssl/cloudflare.crt;
server_name diagnosischeck www.diagnosischeck.com;


# root /var/www/diagnosischeck.com/html;
# index index.html index.htm index.nginx-debian.html;


location / {

include uwsgi_params;
uwsgi_pass unix:/home/my_username/diagnosischeck/diagnosischeck.sock;

try_files $uri $uri/ =404;
uwsgi_ignore_client_abort on;
}

}

I have allowed access to Croatia, so you can do your work

Yes, I have already added the original server.

I just realized that my Flask app is not configured for SSL encryption as yet. So, I am currently in the process of securing it, so all my HTTPS links to pages will be visible. Instead of giving that 404 Not Found Error.

Okay, now I see the site loading fine over HTTPS:

I think it could be related due to your Nginx config for location / {} block, or rather the Flask app routing URLs / rewrites.

In terms of Python and Nginx, I was able to run it successfully and was working on HTTPS over Cloudflare proxy (:orange:).

If using without uwsgi, I managed to get it working by running python app and therefore within my vhost file I have had:

root /home/myuser/path-to-my-python-app/my-python-app/;

# ajenti, django, python, gunicorn, app ...
location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_pass http://127.0.0.1:8000/;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header SCRIPT_NAME /app;
}

# websocket testing
location /ws/ {
    proxy_pass http://127.0.0.1:8000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_redirect off;
    proxy_set_header Host $http_host;
}

Maybe you are missing some proxy_ stuff.

And difference, you are running if from a unix.sock, while I was over the localhost:port (could add an upstream to my nginx.conf file and then call it in vhost file instead of http://127.0.0.1:8000) etc…

Furthermore we go, I am afraid this could be a bit ouf of a scope for this forums.

1 Like

Thank you very much Fritex for all your help. Now, my project has just embarked on a new scope, which is out of your realm. I feel very happy now that everything seem to be working from Cloudflare’s end. My mission now is to configure Flask security features, HTTP/HTTPS redirects, requests and so on. Have a great day!

2 Likes

I am happy to assist you! :wink:
You to have a nice day

1 Like

Fritex!!! Everything is working fine now. The diagnosischeck.com website is up and running with the world’s most favorite padlock! Thank you, so much! I posted the final Nginx server configuration code, so it can help other people understand the dynamics of securing their Python Flask, UWSGI, Nginx website with Cloudflare.com. This is how to add SSL HTTPS to your website protected by the Cloudflare CDN.
UWSGI Documentation: Quickstart for Python/WSGI applications — uWSGI 2.0 documentation

server {
listen 80;
listen [::]:80;

server_name diagnosischeck.com www.diagnosischeck.com;

return 301 scheme://$diagnosischeck.com$request_uri;
location / {

include uwsgi_params;

uwsgi_pass unix:/home/my_username/diagnosischeck/diagnosischeck.sock;
try_files $uri $uri/ =404;

}

location /ws/ {
proxy_pass http://127.0.0.1:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_redirect off;
proxy_set_header Host $http_host;
}

}

server {

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem; #This is the ssl key from Cloudflare
ssl_client_certificate /etc/ssl/cloudflare.crt; #This is the origin server certificate from Cloudflare
server_name diagnosischeck www.diagnosischeck.com;

include uwsgi_params;

uwsgi_pass unix:/home/my_username/diagnosischeck/diagnosischeck.sock;

}

server {

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
ssl_client_certificate /etc/ssl/cloudflare.crt;
server_name diagnosischeck www.diagnosischeck.com;

location / {

include uwsgi_params;

uwsgi_pass unix:/home/my_username/diagnosischeck/diagnosischeck.sock;
}

}

1 Like

I am happy to hear that! :wink:

Happy to assist you :hugs:

Bravo! :clap:
I am sure it will help a lot for further cases