Origin certificate not trusted
Hey there, I've been trying to use Cloudflare's SSL certificates for a website. I was previously using Porkbun's integrated SSL service, which worked fine, but required updating the certificates when they expired. I'm not sure if this is the correct use of Cloudflare, so please let me know.
Otherwise, I've set the SSL/TLS encryption mode to full strict, I have an active universal certificate, and an origin certificate set to expire in 15 years, with the rest staying on default config. I've installed it on my server, and it seems to work (at least according to this ), except that browsers spit out "Your connection is not private" with NET::ERR_CERT_AUTHORITY_INVALID. The subdomain in question says that it is proxied in the DNS config, that being the main difference from threads with this issue that I've found online. Any help appreciated!
17 Replies
What do you see as the issuer name when you select "View certificate" or equivalent on the failing domain (on Chrome this is accessible from the ssl indicator on the address bar)
I suppose it could be CloudFlare Inc
It is, at least from what the DNS config shows
Thats why I said it was the key difference from other posts
What's the domain?
skyrden.com
Main page is hosted on railway which seems to do its own SSL stuff
Is it the top level that is having the issues, or a subdomain?
Otherwise the subdomain I’m using to test this is training.skyrden.com
Others are using the Porkbun certificate to still have access to them
Subdomain above is the problematic one
This what it is supposed to look like?
Yes, it’s just a Moodle instance
I'm getting no SSL/TLS issues, so I'm guessing your device/upstream resolver may have just cached your server's IP adress, instead of the Cloudflare proxy IPs
Wait yeah that would make sense
I didn’t think of trying another device
Gah I’m sorry, my mistake
Thanks for helping out
Though note, if the device is on the same network, it may still try with the old IPs, since it may be cached on the resolver itself(ISP, other).
Yeah I’m on mobile data now and it works fine
Do you think that there’s anything I can do for them to refresh it, or will I just have to wait?
Not really. DNS updates are usually pretty slow, though once the proxy kicks in, updates should take a minute or less globally
Which is kind of cheating, but 🤷
Alright then, thanks for the info!