Unable to issue SSL for info.na and school.na

Since both domains use Cloudflare, and it automatically attempts to generate an SSL certificate, what you could try is:

• contact Cloudflare support to switch your domains to alternative CAs
• if successful (which you will see in the Dashboard, you may enable proxying for apex and www, passing to your origin server, or e.g. perform redirect with Redirect Rules
• alternatively, you can buy "Advanced Certificate Manager" for $10/month, which will allow you to issue certificates from Google Trust Services (at least attempt to)

Cloudflare only automatically requests a cert when the domain name is proxied there. info.na is not. Proxying the name sets up the Cloudflare CDN.

In this case Cloudflare is only the DNS provider.

They could try another CA like has already been suggested.

Adding detail to what @griffin said, that works fine to redirect people trying http://info.na

But, anyone trying specifically https://info.na will fail with invalid cert. The cert used is for mailsrv.dic.net

For people entering just info.na in their browser bar (no protocol) it depends which browser they use and how it is configured. Some browsers see the http redirect and send them to your https://www.info.na perfectly. Others use https first; see the wrong cert; and show a failure screen or insecure mark.

Unfortunately, you are wrong. Cloudflare automatically performs DNS-01 challenge if domain points at their nameservers. These do.

But it wouldn't give privkey for that cert to use outside of cloudflare

If an HTTPS redirect is the desired outcome and Cloudflare is indeed able to obtain a certificate for that PSL listed name, the record could be switched to proxied and the redirect employed at the Cloudflare edge.

You're right, but maybe OP doesn't care about private key, just an outcome.

If the domain is NOT proxied, and this one is not, then Cloudflare is not involved in the HTTP(S) requests. It only handles its DNS queries.

Their own server must acquire and configure a cert and private key to handle HTTPS requests.

Are you suggesting that for non-proxied domains that Cloudflare performs a cert challenge, gets a cert, and then throws it away?

Please review more about how Cloudflare works.

In any case, discussion of details of what Cloudflare can do is best continued on the Cloudflare community

I know how Cloudflare works. I work there, although participate in this forum in personal capacity.

When domain is onboarded to Cloudflare in "Full setup", i.e. NS are pointed at Cloudflare, and the Universal SSL feature is enabled (default setting), then Cloudflare automatically performs DNS-01 challenge. Resulting certificate is kept and renewed as needed. This happens automatically regardless of whether DNS records are proxied.

While usually harmless, some people are unhappy to see certificates in Certificate Transparency logs, because they only wanted "DNS-only hosting". They can disable "Universal SSL" in dashboard, Cloudflare will revoke the certificate and destroy private key.

Agreed. Let's not deviate from original topic any more.

By that I meant "I am unable to verify if those domains should actually be there" (in the ICANN part of the list instead of the private one)

To me it looks like info.na is a registrar selling their own third level domains, and the registry is another entity (selling third levels under different second level domains).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.