Weird certificate problem

The thing is now I need to copy all the A records and everything manually back to namecheap…

Cloudflare copies them automatically the other way around…

You don’t need to stop using Cloudflare entirely.

And how do I disable Cloudflare’s proxy on

I removed cloudflare and now there is no error here

How is that?

I don't know, it's magic :wink:

But I see, you have rechecked your domain -

Now you have a Grade C, your certificate has two domain names:
expires in 89 days, - 2 entries

So both connections are secure.

My FireFox doesn't see the result, that's the wrong ip address.

PS: No, it's C, not B. But C is good.

But I still don’t get why when I add cloudflare, the certificate does not work…

Perhaps you have restartet your server.

Or something in your Cloudflare config was wrong.

But now you have a valid certificate and two correct connections.

In Cloudflare's DNS settings, click on the orange cloud to turn it into a gray cloud

Cloudflare's "How does Cloudflare work?" support article seems to be missing. :confused:

Cloudflare's CDN/proxy/orange cloud services use a certificate installed on Cloudflare's servers for HTTPS. By default it's a Cloudflare-managed certificate matching only and * (Certificate wildcards do not match multiple levels of subdomains. * matches but not

When you enable Cloudflare's proxy on that one subdomain it does not work because Cloudflare does not have a certificate matching * or

I forgot to mention it, but you can also upgrade to one of their plans that allows you to upload a custom certificate, but managing that is more work.

Edit: It turns out the "How does Cloudflare work?" article wasn't geared exactly for this question anyway. I don't have a link handy but I'm sure they explain their HTTPS setup somewhere.

1 Like

And how to get that certificate?

Please read the rest of my post.

I read it, but still dunno the answer to my question.

I need to buy something from Cloudflare to have a certificate for a subdomain?

Is that it?

For Cloudflare to have a certificate for a subsubdomain.

The answer to your problem is very simple is not the same as
A wild card cert would fix your problem and also allow you to host multiple sub domains from the same server. That’s how mine is set up. There is a cloud flare API that would allow you to do this. I personally use digital ocean. My command looks something like this. Don’t forget to revoke the old certificate before running it though.

certbot certonly --server --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/digitalocean/do_api_cred.ini --dns-digitalocean-propagation-seconds 30 -d ‘,*’

There’s almost never a need to revoke the old certificate before creating a new one; certificates with overlapping coverage don’t conflict!

1 Like

Where do these ideas come from?

So now I don’t need to buy anything from Cloudflare to make it work?

Completely lost with all the different answers in here…

If you have a small site, why do you need Cloudflare?

Your certificate is correct:
expires in 80 days, - 2 entries

But now you have redirects https -> http, so nobody uses your certificate -> Grade F.

@JuergenAuer the guys after you said a completely different thing from what you told me.

Because it’ll create a new folder in the /etc/letsencrypt/live directory. so for this example, if I have a cert for and I create a new wildcard cert for *, like in my sample, it’ll keep both certs /etc/letsencrypt/live/ and /etc/letsencrypt/live/
I know, because I’ve done it.

If you have a certificate for only and requesting -d *, creates a separate certificate, that’s a bug in Certbot and I’d love to look into it further.

If you have a single certificate for and and you request -d *,, it would create because is listed on the old certificate but not the new one. This might be a bug because the wildcard can match but Certbot doesn’t consider that.

You can always cause the coverage of an existing cert to be updated by specifying --cert-name. For example, if you use --cert-name -d '*,', the existing certificate would be replaced instead of creating an certificate. Using --cert-name, it’s never necessary to delete (or revoke) old certificates in order to change the names that they cover.

1 Like