Weird certificate problem

fernandoch · March 17, 2019, 10:01pm

The thing is now I need to copy all the A records and everything manually back to namecheap…

Cloudflare copies them automatically the other way around…

mnordhoff · March 17, 2019, 10:40pm

You don’t need to stop using Cloudflare entirely.

fernandoch · March 18, 2019, 8:41am

And how do I disable Cloudflare’s proxy on https://www.foro.losumo.com/?

fernandoch · March 18, 2019, 10:17am

I removed cloudflare and now there is no error here

https://www.foro.losumo.com/

How is that?

JuergenAuer · March 18, 2019, 10:21am

I don't know, it's magic

But I see, you have rechecked your domain - https://check-your-website.server-daten.de/?q=foro.losumo.com

Now you have a Grade C, your certificate has two domain names:

CN=foro.losumo.com
	17.03.2019
	15.06.2019
expires in 89 days	foro.losumo.com, www.foro.losumo.com - 2 entries

So both connections are secure.

My FireFox doesn't see the result, that's the wrong ip address.

PS: No, it's C, not B. But C is good.

fernandoch · March 18, 2019, 10:23am

But I still don’t get why when I add cloudflare, the certificate does not work…

JuergenAuer · March 18, 2019, 10:32am

Perhaps you have restartet your server.

Or something in your Cloudflare config was wrong.

But now you have a valid certificate and two correct connections.

mnordhoff · March 18, 2019, 2:00pm

In Cloudflare's DNS settings, click on the orange cloud to turn it into a gray cloud

Cloudflare's "How does Cloudflare work?" support article seems to be missing.

Cloudflare's CDN/proxy/orange cloud services use a certificate installed on Cloudflare's servers for HTTPS. By default it's a Cloudflare-managed certificate matching only example.com and *.example.com. (Certificate wildcards do not match multiple levels of subdomains. *.example.com matches foo.example.com but not foo.bar.example.com.)

When you enable Cloudflare's proxy on that one subdomain it does not work because Cloudflare does not have a certificate matching *.foro.lusomo.com or www.foro.lusomo.com.

I forgot to mention it, but you can also upgrade to one of their plans that allows you to upload a custom certificate, but managing that is more work.

Edit: It turns out the "How does Cloudflare work?" article wasn't geared exactly for this question anyway. I don't have a link handy but I'm sure they explain their HTTPS setup somewhere.

https://support.cloudflare.com/hc/en-us
https://community.cloudflare.com/

fernandoch · March 18, 2019, 2:55pm

And how to get that certificate?

mnordhoff · March 18, 2019, 2:56pm

Please read the rest of my post.

fernandoch · March 18, 2019, 4:07pm

I read it, but still dunno the answer to my question.

I need to buy something from Cloudflare to have a certificate for a subdomain?

Is that it?

mnordhoff · March 18, 2019, 4:09pm

For Cloudflare to have a certificate for a subsubdomain.

hessercan · March 25, 2019, 12:35am

The answer to your problem is very simple www.example.com is not the same as example.com
A wild card cert would fix your problem and also allow you to host multiple sub domains from the same server. That’s how mine is set up. There is a cloud flare API that would allow you to do this. I personally use digital ocean. My command looks something like this. Don’t forget to revoke the old certificate before running it though.

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/digitalocean/do_api_cred.ini --dns-digitalocean-propagation-seconds 30 -d ‘hessercan.com,*.hessercan.com’

schoen · March 26, 2019, 9:54pm

There’s almost never a need to revoke the old certificate before creating a new one; certificates with overlapping coverage don’t conflict!

danb35 · March 26, 2019, 11:39pm

Where do these ideas come from?

fernandoch · March 27, 2019, 10:16am

So now I don’t need to buy anything from Cloudflare to make it work?

Completely lost with all the different answers in here…

JuergenAuer · March 27, 2019, 3:21pm

If you have a small site, why do you need Cloudflare?

Your certificate is correct:

CN=foro.losumo.com
	17.03.2019
	15.06.2019
expires in 80 days	
foro.losumo.com, www.foro.losumo.com - 2 entries

But now you have redirects https -> http, so nobody uses your certificate -> Grade F.

fernandoch · March 27, 2019, 4:19pm

@JuergenAuer the guys after you said a completely different thing from what you told me.

hessercan · March 29, 2019, 11:00pm

Because it’ll create a new folder in the /etc/letsencrypt/live directory. so for this example, if I have a cert for example.com and I create a new wildcard cert for *.example.com,example.com like in my sample, it’ll keep both certs /etc/letsencrypt/live/example.com and /etc/letsencrypt/live/example.com-0001
I know, because I’ve done it.

schoen · March 29, 2019, 11:09pm

If you have a certificate for only example.com and requesting -d *.example.com,example.com creates a separate certificate, that’s a bug in Certbot and I’d love to look into it further.

If you have a single certificate for example.com and www.example.com and you request -d *.example.com,example.com, it would create example.com-0001 because www.example.com is listed on the old certificate but not the new one. This might be a bug because the wildcard can match www.example.com but Certbot doesn’t consider that.

You can always cause the coverage of an existing cert to be updated by specifying --cert-name. For example, if you use --cert-name example.com -d '*.example.com,example.com', the existing example.com certificate would be replaced instead of creating an example.com-0001 certificate. Using --cert-name, it’s never necessary to delete (or revoke) old certificates in order to change the names that they cover.