Domain and subdomain w/ conflicting certs

Support
1

I have two sites:

  • rownd.io
  • app.rownd.io

rownd.io is fronted by Cloudflare in proxy mode and uses a custom origin TLS cert for security. app.rownd.io was moved to NetlifyDNS and the automated LetsEncrypt feature was used.

rownd.io works fine, but app.rownd.io keeps presenting the wrong certificate. It seems to be presenting the rownd.io Cloudflare cert, which then causes a TLS error/warning in the browser.

This seems like a bug, as the two sites should be more or less separate.

2

Is it possible that Cloudflare is providing certificate for *.rownd.io and since Cloudflare is the DNS manager for the root domain it’s SSL is being applied before Netlify?

3

I don’t believe so. Cloudflare wouldn’t present an origin certificate. If we examine the DNS of both, we see separate IPs:

$ dig rownd.io
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> rownd.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50426
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;rownd.io.			IN	A

;; ANSWER SECTION:
rownd.io.		300	IN	A	104.26.14.213
rownd.io.		300	IN	A	104.26.15.213
rownd.io.		300	IN	A	172.67.71.168

$ dig app.rownd.io
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> app.rownd.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49407
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;app.rownd.io.			IN	A

;; ANSWER SECTION:
app.rownd.io.		20	IN	A	104.248.50.87
app.rownd.io.		20	IN	A	104.248.63.231

Also, I can point openssl at the rownd-app.netlify.app host, but override the SNI name and I can see the Cloudflare cert coming back, which seems to indicate this is happening on the Netlify side:

$ openssl s_client -connect rownd-app.netlify.app:443 -servername app.rownd.io -showcerts

CONNECTED(00000005)
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
-----BEGIN CERTIFICATE-----
MIIEnDCCA4SgAwIBAgIUFtfa5ykHDLzKvU18c0Y1znpiwx4wDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIwMTAwMzA0MjkwMFoXDTM1MDkzMDA0MjkwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmXncF1tSdNqahA2zhPyEus6PkH1JWZAxuBEv
qX6LbRH+EPAP+/KNH0Pis99k7sVzOFFMe66jwc4lgRps6CUNFuhJZ58Ka2n7KtFa
JonDvGDoLnP9Bj6PLOEt7wqdGKfxPk4+/jC1tNNCXKHezMIpl/Tnrrk9OZGaAjbb
yIgvZbpHspoGPR6einm+OhmHzI5ysVnZCK6jXyswcSDWzNIGE01tCU/kJy//80TF
AuMzeTgb2AaTjNY+VOvu95oiSxzhrgDhFnRS4uOy+E2T2IdQmGTelzO1DjCUJmTk
RiWuHRDQYmzz3ZD/GwaWPl1+U/1dIefadz5Dn+KQrf0iKeNaLQIDAQABo4IBHjCC
ARowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRYeH91vpBuQgfD2tkQSynz3mwSATAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTAfBgNVHREEGDAWggoqLnJvd25kLmlvgghyb3duZC5pbzA4BgNVHR8EMTAvMC2g
K6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdpbl9jYS5jcmwwDQYJ
KoZIhvcNAQELBQADggEBAEPabqy35Zx17o99bw5NOqQlqGft5X8g2gXrVk9nQ4kt
y+R/8QDzH1GpY0MkSMa7YoizEJ1olxcjR2JLH8Q4lFNNKfCVxdf4i4RoZaDmV934
VD4H9WfItzld4I/xV5Gc5dJO9TXjxPNHOdWpArAGif2lhgMMVe0xR5cZdWHlbOUM
WZxg2zLt/6gPfCpm2z/T9dJHsqHU7a6sixYFi4S9jksJzK5t/JRcNcvKuMlEtyLk
pn8doNrbEnNu+EYuEqjlXWmGDdCk7qBWAOV6PYSWg+Leul04UQn4l4QRITAwijkQ
RLuyj1Y4kpSvHPZiedlLzanMWxOgUeFx1ZByjFfdO6s=
-----END CERTIFICATE-----
 1 s:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----
---
Server certificate
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2777 bytes and written 394 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
5

Hi, @rob_rownd. The behavior you are seeing is caused by the CDN node returning the first SSL certificate which matches a custom domain. This often is not the SSL certificate linked to the site in the web UI.

For a different site, you have uploaded an SSL certificate for *.rownd.io. This certificate also matches app.rownd.io` and the CDN node is returning that SSL certificate because it is the first one it finds when searching.

We have an open issue filed to change this behavior but I cannot say if/when this might change. If/when it does change we will post an update here to let you know about it.

If there are other questions or concerns, please let us know.

6

Ah, ok–that makes sense. I think I can adjust the certificate to remove the wildcard.

7

great. let us know if this resolves things for you.

8

I made the change and everything looks good now. Thanks!