Hi, @nilfalse, the custom SSL certificate uploaded to our service is not correct and giving SSL errors.
$ curl -svo /dev/null --resolve likr.xyz:443:104.198.14.52 https://likr.xyz/
* Added likr.xyz:443:104.198.14.52 to DNS cache
* Hostname likr.xyz was found in DNS cache
* Trying 104.198.14.52...
* TCP_NODELAY set
* Connected to likr.xyz (104.198.14.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [222 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1194 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
If the SSL certificate is ignored, the correct site does get served. The SSL certificate is the issue:
$ echo | openssl s_client -showcerts -servername ilin.dk -connect 104.198.14.52:443 | openssl x509 -text | head
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:97:aa:40:39:94:84:85:e4:23:64:28:f4:e4:32:03:e5:88:63:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=CloudFlare, Inc., OU=CloudFlare Origin SSL Certificate Authority, L=San Francisco, ST=California
Validity
Not Before: May 30 20:51:00 2020 GMT
Not After : May 27 20:51:00 2035 GMT
Note, we do not recommend proxying to Netlify from other services. There is more about this here:
To resolve this, you will likely need to get a different SSL certificate or to correct the existing certificate.
If there are other questions about this, please let us know.