Invalid SSL cert on subdomains
I have 4 domains pointed at the same origin, set up near identically on nginx and cloudflare however, 2 of the sites return a 526 error on exclusively the subdomains and I cannot for the life of me figure out why. All 4 are set to full (strict) encryption mode
53 Replies
What are the hosts on the certificate on the origin server?
Are there any errors to certificates in the nginx logs?
just the stapling errors
oh wait these are here
but they don't appear every time you try to visit a subdomain as far as I can see
they might've been from a previous issue
I wish it showed the host header
Are the clients Cloudflare IPs? It could be false noise from malformed https requests?
no they aren't
it's just those annoying bots that scrape everything they can ig
I would check what certificate it is serving directly:
https://community.cloudflare.com/t/community-tip-fixing-error-526-invalid-ssl-certificates/44273
You can use a command like:
From the shell of the machine with the web server on it, check if it's serving the right certificate (the
CN = value specificallyCloudflare Community
Community Tip - Fixing Error 526: Invalid SSL certificates
Error Try the suggestions in this Community Tip to help you fix Error 526: Invalid SSL certificate. Background Error 526 indicates Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the SSL setting in the Cloudflare SSL/TLS app is set to Full SSL (Strict) for the website. When this happens, you’ll s...
I trust this won't return anything sensitive and I can just upload to a paste site and send it here?
I don't see any difference between a functional and broken domain
pastes | pXQiMP3Eji
A paste containing 54 lines of plaintext.
this is the broken one
ah that's annoying, it's just upset because it can't verify the cert, since origin certs aren't trusted. If you change that end bit to
-verify 1 instead of -verify_return_error, it'll just give you the public certificate under "Server Certificate", and you can pop that into a tool like https://www.sslshopper.com/certificate-decoder.html to ensure it's the right one being serveduh
the command got stuck
I had to ctrl+c it
that's fine, just scroll up after
there's probably a better way to do this, but the command the doc recommends using
curl is only friendly to actually trusted certificatesdo I paste the entire output or just the cert?
just the cert, including -- begin cert -- and --end cert
oh that's your actual domain? I thought you were just trying to hide it lol
wait wrong domain
and that's the broken one?
mb
that's the fixed on e
nah I actually own that lmao
the real question is just which certificate it is serving for the one which doesn't work
oh wait no I did run the right command
but it's actually returning the helpmeplea.se ssl cert
and it's serving the wrong one? Well there you go, what's your nginx config look like?
and
wellard.org is the one that's broken, I assume?specifically subdomains but yes
e.g. www.wellard.org
I don't think you're supposed to have commas in server_name, supposed to be space separated
try removing the comma, validating the config and reloading, and then seeing if it works
it...worked
thanks...but why?
all my configs are comma separated
I would assume because it's taking the , as a literal character to match on, and it works for the pleasehelpme one because it's the default
ok but that doesn't explain my other domain functioning
www.pls-end.me also works
right but that's your default
so I have 2 defaults?
www.pls-end.me and i.helpmeplea.se both function
with commas
What's the ssl/tls setting for pls-end.me?
full (strict)
as are the rest
that is weird, is the config for pls-end.me the exact same?
*.pls-end.me,?yeah, I just
cp'd them and changed the domainhmm, idk then, don't know enough about nginx to try to guess more. You could try the same openssl command on the subdomain of pls-end.me and see if it's serving the right one for sure
that explains why i was getting unknown error until I removed the default config at least though
wait that's returning helpmeplea.se cert too
and CF is just accepting 
wait it's redirecting
there's a www redirect somewhere in CF's panel isn't there?
wait it's redirecting
there's a www redirect somewhere in CF's panel isn't there?If it's a CF redirect it wouldn't even try the origin
not by default but there's lots of ways you can make one with page rules, redirect rules, etc
nope, only page rule is cache
and no redirect rule
https://www.pls-end.me works for you?
redirects to https://pls-end.me
It looks like what is happening is it gets a 526, and then serves an Always Online Archived version, which is just a redirect
If you try curling it, I see a 526
curl https://www.pls-end.me/ -vvv, but in the browser, it looks like it loads the error page, and then the Always Online version
If you turned off Always online under Caching -> Configuration, it should constantly serve 526s
funny behavior though lol, I was confused at first why curl was 526ing but in the web browser it worked, getting saved by Always Online
I think that's about the only time it's functioned for me
just to screw me over
it's only for specific error codes, got lucky, or perhaps unlucky ;p
well I disabled it and purged cache
there we go
congrats on properly breaking it
well, now you can fix it
:3
I'm pretty good at that, there's a whole site about the things i've bricked lmao
well this was a relatively simple mistake and easy fix, just had to unravel it
yep, thanks for all your help both of you 