X.509 Certificate Signed by Unknown Authority

our web server proxied via Cloudflare. one client application using google go lang to access the web server randomly returning x.509 certification signed by unknown authority

web server → (no ssl) Cloudflare → (ssl) client application

do u know if this is related to client application or Cloudflare ssl cert issue?

pls advise.

For starters, unless you are on an Enterprise plan, you cannot access sites on HTTP which enforce HTTPS.

That being said, are you using Origin certificates? If so, they’d be “unknown” and will only work in a proxied context. If that is not the case, the issue definitely is with your server.

What’s the URL?

If you are saying the application is using your server and your server does not have a certificate, then you have a general security issue and would need to fix that first before anything else.

You do need a valid certificate on your server.

What does randomly mean in this context? Sometimes but not always? Only from a single server running this tool? From any location that attempts to run the tool? Something else?

Your SSL/TLS encryption mode is Flexible. ssl cert is provided by Cloudflare. i am on free plan

All right, that’s exactly what I addressed in my last message. You have a general security issue here and need to fix that first. Your current encryption mode is an insecure legacy mode which should not be used and keeps your site without encryption.

i am using web browser to check and the cert is valid

That’s just the proxy certificate, the site itself is still insecure and has no encryption whatsoever. Refer to mentioned article.

Fixing this takes a few minutes.

thank you for your advice indeed. we need time to support full encryption mode. however, we need to fix the current issue experience by our client asap

Yeah, that mode is known to be the reason for all sorts of issues and may be very well why you experience these issues.

For starters, I would change to Full Strict and make sure you have a proper certificate on the server.

yes, random means sometimes but not always.

yes, from single server.

we do have several clients accessing our webserver using http get/post. but only one client complained today.

Again, change to Full Strict and make sure you have a certificate and you probably won’t have any such issues any more.

A sporadic error from a single customer (absent any other supporting details) makes it much more likely to be an issue with their network than Cloudflare’s. If they can capture details in and around the error to demonstrate what certificate is displayed and other supporting details….

Ignore the client issue and fix your configuration. There’s nothing they have provided which points to a Cloudflare issue and if the customer is important enough that ‘not us, good luck’ isn’t a sufficient response then you /really/ need to fix the SSL before continuing to debug because sending data for an important customer in clear text over the internet is a much bigger problem than their random error.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.