Cloudflare let's encrypt edge certification conflict

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 주미클럽1.com(https://주미클럽1.com)

I am contacting you because I need technical advice regarding a certificate issue for our client.

Issue: After migrating from the Free Plan to the Enterprise Plan, the Edge certificate was applied, but User A imported the Free Plan certificate and User B imported the Enterprise certificate, causing problems for some customers.
Phenomenon where a public connection page (http connection) is displayed

After activating the Enterprise Zone on September 1, some users encountered an "http connection" page due to a certificate issue.
The customer in question was a former Free Plan customer and moved to Enterprise on the same day.

The domain used a universal Let's Encrypt certificate when it was free plan, and was issued an Advanced Let's Encrypt certificate after transfer.
However, because the application of the Advanced certificate was slow, it was reapplied as a universal certificate.
Although the certificate was applied, it was confirmed that user A was loading the free plan certificate and user B was loading the enterprise certificate.
Please check whether the issue is caused by a certificate twist or conflict caused by the same issuer on the same domain, or due to another reason.

Let's Encrypt only issues one kind of certificate. Can you clarify this?

Moreover, I don't see what certificate is on your server, but your website is currently served on cloudflare with a cloudflare-issued certificate.

5 Likes

Hi @Sunni1227, and welcome to the LE community forum :slightly_smiling_face:

I see the problem at Cloudflare:

Name:      xn--1-gy0f05h1xrgzi.com
Addresses: 2606:4700:3030::ac43:8228
           2606:4700:3035::6815:321
           172.67.130.40
           104.21.3.33

HTTP fails:

curl -Ii http://xn--1-gy0f05h1xrgzi.com/
curl: (56) Recv failure: Connection reset by peer

HTTPS works:

curl -Ii https://xn--1-gy0f05h1xrgzi.com/
HTTP/2 200
date: Fri, 08 Sep 2023 07:17:10 GMT
content-type: text/html; charset=UTF-8
x-powered-by: Express
access-control-allow-origin: *
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Fri, 08 Sep 2023 02:25:51 GMT
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qll4KvSPIAY6BhUkFh2OkB6krgMPv98BI%2BjnO3Xs2C9eLq%2B6UkELzTkiPq0iRcdhQ3ZPiy0nG71e6gWPzssyP%2FnW8Ia1AsFvQ%2FpfJNyxKO2WwUgLZhyuiOg1iX6YFBIiHY%2Fk7laRiMJ1NA%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 803569019e49b3df-MIA
alt-svc: h3=":443"; ma=86400
3 Likes

I think I should tell you about the date the issue occurred.

The issue occurrence date and time is from 2023-09-01 15:42 to 19:12 (KST).
Is it possible to check if there was a Let's Encrypt certificate conflict at that time?

There is no way for anyone to know what actually happened at that time.
There are no record/payback buttons for the Internet.

As for certificate conflicts...
I don't think you understand certificates well enough and are simply looking for a cause to a problem that can't have anything to do with certificates issuances.
It can be a problem with certificate use - incorrect uses.
But since you have Cloudflare and they are set to do what you say... then something was likely said incorrectly and it just did as it was told.

5 Likes

I'm not sure but one thing I found with cloudflare (free) default certs is that they were EC keys, and ECDSA cipher suites, so some client software/OS failed to connect because they only understood RSA ciphers, or the ECDSA ciphers they did support weren't the ones cloudflare supported.

That was nothing to do with Let's Encrypt though, that was just cloudflare.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.