When I use sudo certbot certonly --manual, I'm getting certificates from comodo ca authority


#1

I used sudo certbot certonly --manual to get certificates from lets encrypt after complete process, when I checked it shows that certificates are Verified by : COMODO CA Limited

I need SSL to work with Apple Pay, but current certificates doesn’t have apple supported cipher suites.

It shows only following cipher suites support.

Can you please help to solve this issue.

I can’t share domain name as its our stag domain. It is deployed at Heroku.


#2

I’m 100% sure your domain is sitting behind Cloudflare proxy for SSL termination (since it is serving TLS 1.3, which nobody else is serving).

You can find your ciphersuite settings in your Cloudflare control panel.


#3

Thanks for the diagnosis, @_az!

@vishalzambre, when addressing this it’s also important to consider that your Let’s Encrypt certificate obtained with certbot certonly --manual protects the connection between CloudFlare and your origin server, but only CloudFlare can confirm whether or how that connection is encrypted, since it’s not visible to the Internet as a whole. That connection ought to be encrypted for security, since all of the user data is also transmitted over it, but it depends on your CloudFlare settings and on whether the certificate is installed properly on the origin server.

Also remember that certonly doesn’t install the certificate in the web server (you have to configure the web server yourself to use the certificate), while --manual generally doesn’t allow you to renew the certificate with certbot renew (because it requires manual intervention to perform the renewal process). So you would also have to figure out how you plan to renew the Let’s Encrypt certificate before it expires every 90 days.

If you plan to always use CloudFlare with this service, you could consider using the CloudFlare Origin CA instead:

As they say, it’s free and more secure in this configuration, and I believe you can get a certificate that lasts for 10 years. However, it only works for sites that are behind the CloudFlare CDN; if you switch CDNs or disable CloudFlare, then you’d have to switch back to a publicly-trusted CA like Let’s Encrypt for your certificates.


#4

@vishalzambre you may use curl to test it, using that syntax:

curl example.com --resolve "example.com:443:IP_ADDRESS" -v https://example.com

where IP_ADDRESS is your server IP, hidden by CloudFlare


#5

Issue is resolved after disabled SSL from cloudflare.

Thanks Team.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.