SSL - Cloudflare origin server showing not secure

morriscey

• January 23, 2020 09:11

Hello all. Thanks in advance for any help. I had set up SSL for one of our sites as I have done dozens of times before without issue. Sites are wordpress. I use cloudflare for the DNS. then I follow the procedure to generate a private key and CSR in cloudflare (RSA). Key format is PEM. Then copy and paste the key into my server under SSL - generate/upload/delete/view keys. Then I paste the CRT in generate/ul/d/v certificates. Then I install the certificate. certificate installs successfully. in cloudflare encryption is set to full. Have tried flexible and full strict but no joy there. The site in question is . I can't figure out whats going on or where I made a config error - following the identical procedure I have set up dozen of other sites on this server including it's (correctly running) sister site Front page - Black Bull Kitchen Any insight or advice is greatly appreciated - please let me know if any extra info is required. Thanks again, M

• 

  cPanelLauren

  • January 23, 2020 23:31

  Hello, The certificate that's being shown is an expired cert: I wonder if the issue is that the apache configuration is not being rebuilt and apache isn't being restarted when the certificate is installed. Does this persist after running the following: /scripts/updateuserdomains /scripts/updateuserdatacache mv /etc/apache2/conf/httpd.conf{,.bk} /scripts/rebuildhttpdconf /scripts/restartsrv_httpd
  

  0
• 

  cPanelLauren

  • January 23, 2020 23:43

  Hello, I just wanted to add this for your reference: openssl s_client -showcerts -servername domain.com -connect domain.com:443 CONNECTED(00000003) depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/O=CloudFlare, Inc./OU=CloudFlare Origin CA/CN=CloudFlare Origin Certificate i:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California -----BEGIN CERTIFICATE----- MIIEuD#######Z/voPw -----END CERTIFICATE----- 1 s:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California i:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California -----BEGIN CERTIFICATE----- MIID#######ABmOgg== -----END CERTIFICATE----- --- Server certificate subject=/O=CloudFlare, Inc./OU=CloudFlare Origin CA/CN=CloudFlare Origin Certificate issuer=/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2950 bytes and written 446 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 ####### Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
  Most importantly: verify error:num=19:self signed certificate in certificate chain
  

  0
• 

  morriscey

  • January 27, 2020 15:34

  hello, thanks for the replies. lol if you hadn't guessed I'm not overly advanced. I ran the scripts from root, still showing the same "not secure" error. I had noticed the "self signed certificate" error when looking into the error- but I had also read that when using the free cloudflare origin server it will always have a self signature somewhere in the chain. I double checked and I only have the one certificate installed on that domain. I had previously tried deleting the SSL cert and starting over- but no luck there either. I only used the defaults as instructed when creating the cert and installing it in Cpanel. This exact same process has worked on all of the other domains I had tried it on previously so I'm kind of stumped.

  0
• 

  rackaid

  • January 27, 2020 16:52

  Where are you seeing this self-signed cert error? If you have cloudflare enabled properly, then you should never see the origin cert in a browser.

  0
• 

  morriscey

  • January 27, 2020 17:26

  I saw the self signed cert error when i mouse over the primary domain under general information.

  0
• 

  rackaid

  • January 27, 2020 17:29

  Are you referring to an error in your browser?

  • If so, double check that your domain is actually using Cloudflare's DNS. If not, then you are going directly to the server.
  • If using CF DNS, then when was it updated? Perhaps you have old DNS cached?
  • Make sure you have the proxy cloud checked in Cloudflare for the domain name.

  0
• 

  morriscey

  • January 28, 2020 21:01

  No, an error in the main Cpanel page. general information in the top right. Red warning triangle. I usually ignore it though as it ends up showing up on all the domains that are secured through cloudflare. dns is pointed at cloudflares servers. >Make sure you have the proxy cloud checked in Cloudflare for the domain name. That ended up being my issue. this domain had a couple A records and I had the wrong one proxied. toggled those, and a few updates to my site and I'm sunning with SSL. Thank you for your help.

  0

Please sign in to leave a comment.