Mobile app version of vmapp.org
Login or Join
Frith620

: Untrusted Cloudflare SSL Certificate I'm just dipping my toes into the water with SSL certificates and figured I'd try Cloudflare's free offering... I'm trying to secure a sub-domain that hosts

@Frith620

Posted in: #Cloudflare #Https #SecurityCertificate

I'm just dipping my toes into the water with SSL certificates and figured I'd try Cloudflare's free offering...

I'm trying to secure a sub-domain that hosts map tiles locally within the country for performance reasons. For this same reason I don't want to route the sub-domains traffic through Cloudflare as it will cause increased latency.

I've generated a certificate through Cloudflare and enabled it on my site via the Plesk control panel the hosting provider provides.

Everything looks like it's working from the Plesk admin panel side of things, but when I request a https prefixed url from a web browser it complains that the connection isn't secure - NET::ERR_CERT_AUTHORITY_INVALID. And delving into the details gives this message: "The issuer of this certificate could not be found."



A url for testing purposes: static.topomap.co.nz/tiles-topo250-20160901/8-252-97.png
Using an online SSL checker - www.sslshopper.com/ssl-checker.html#hostname=static.topomap.co.nz - it informs me that:


The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate.


Any ideas how I can resolve this issue? Or is this a shortcoming of the free SSL certificates provided by Cloudflare?

I have no sensitive user information flowing back and forth. The only reason I require SSL is for secure 3rd party sites using embedded maps from my service. I need to serve these up via SSL to stop web browsers from complaining.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Frith620

2 Comments

Sorted by latest first Latest Oldest Best

 

@Holmes151

Your invalid certificate authority error is due to the fact that CloudFlare issued it, not because of how you were routing traffic. This is because you used a type of certificate meant only to secure communication between your origin server and CloudFlare's network. It is issued via what they call their "Origin Certificate Authority" explained here.

When you use CloudFlare's "Universal SSL", they will create a certificate from a legitimate Certificate Authority that is trusted by most browsers and they will serve your website's content from their servers using that real certificate.

Remember that for end-to-end TLS encryption you cannot use CloudFlare because they have access to your decrypted traffic after it arrives from your origin but before they re-encrypt it for their CDN. They are literally MITM'ing your encrypted traffic. That's acceptable if you are aware of it and choose to use it anyway, but you should know this is happening.

For a fuller explanation see this website describing the problem in greater detail. Not the prettiest looking site, but their technical arguments are irrefutable.

10% popularity Vote Up Vote Down


 

@Mendez628

I found the answer here: support.cloudflare.com/hc/en-us/articles/200170566-Why-isn-t-SSL-working-for-my-site-

Your domain/sub-domain is not active on Cloudflare’s network

Cloudflare’s SSL will only be present for visitors to your website
after you have validated the SSL certificates to your root or www DNS
record by orange clouding these records in your dashboard. If the DNS
record is grey clouded then the Cloudflare-issued SSL certificates
will not be present.


Looks like I can't use the SSL certificate without routing the sub-domain's traffic through Cloudflare, which is undesirable in this case due to the increased latency. I did a quick test and this indeed resolved the SSL issue experienced.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme