Netlify still serving Cloudflare Origin certificate instead of Let's Encrypt?

Hi, I’m marco and this is a blocking issue:

I’ve recently moved from serving with Cloudflare Origin certs, to Let’s Encrypt ones served by Netlify.
Today we are having a huge problem with serving our netlify website cached by Cloudflare, so we turned cache off (Orange cloud to Gray), without worries because the site is served with good Let’s Encrypt certs, we thought. But nay. Netlify is still serving our old Cloudflare Origin certs, and those are failing. Rending our website unreachable.

So a bit of context:

  • objective-bohr-67ec3b.netlify.app CNAME to welevel.academy
  • www.welevel.academy CNAME to welevel.academy
  • objective-bohr-67ec3b.netlify.app CNAME to www2.welevel.academy (for test purposes)
  • HTTP → HTTPS
  • Let’s Encrypt cert:
    Certificate Let’s Encrypt
    Domains welevel.academy, www.welevel.academy, www2.welevel.academy
    Created Dec 17 at 9:59 AM
    Updated Today at 11:34 AM
    Auto-renews before Mar 23, 2021 (in 3 months)
  • Served Cloudflare Origin Certificate:
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject CloudFlare Origin Certificate
    Issuer CloudFlare, Inc.
    Expires on 11 gen 2035
    Current date 23 dic 2020
    PEM encoded chain
    -----BEGIN CERTIFICATE-----
    <full length cert here, omitted>
    -----END CERTIFICATE-----

@marcofaggian Welcome to the Netlify community.

How long ago did you make these DNS changes? I ask because what I’m seeing doesn’t match what your settings should be.

In Cloudflare, you need to point your apex domain to the Netlify load balancer IP address, which is 104.198.14.52.

Then you need to point your www subdomain to your Netlify subdomain, not the other way around as you have in your post.

Because you are using external DNS, I would recommend that you set your www subdomain as the primary instead of the apex domain for speed of loading, if nothing else.

Currently, your server shows as Cloudflare instead of Netlify, which is why the Let’s Encrypt certificate won’t issue.

|===================== curl check for server ====================
| ---------------------- should be Netlify ----------------------
| ----------------------- welevel.academy -----------------------
< Server: cloudflare

| --------------------- www.welevel.academy ---------------------
< Server: cloudflare
|================================================================

Consequently, you have an inactive zone with Netlify:

|================== check for inactive DNS zone =================
| --------------- last line should show nsone.net ---------------
;; Received 663 bytes from 37.209.194.7#53(demand.beta.aridns.net.au) in 23 ms

welevel.academy.	86400	IN	NS	gail.ns.cloudflare.com.
welevel.academy.	86400	IN	NS	ian.ns.cloudflare.com.
;; Received 98 bytes from 108.162.192.116#53(gail.ns.cloudflare.com) in 32 ms

|================================================================

I think once you get your DNS on the right track, the certificate will attach.

Hi,
I’m a co-worker of @marcofaggian.

The DNS chages has been made this morning as an attempt of solving a Clouflare slowdown on FR1.

For now just focus on the www2.welevel.academy domain.
It has been created for the test purpose of the issue we are facing.

The other domain are behind Cloudflare and allowed us (for now) to have the prodution website up and runing for our clients while this issue is fixed.

Going back to the issue.

www2.welevel.academy is a CNAME pointing to the objective-bohr-67ec3b.netlify.app

This domain is resolved by netlify but the old wrong SSL certificate is used.

The sweitch to Let’s Encrypt certificate was done 2 weeks ago. We used to have custom provided certs.
Today after disabling CouldFlare proxy we have discovered that old certificates were still used when we thought that those were deleted.
It looks like that there is a propagation/cache issue due to old certs are still used.

We are only using Cloudflare as DNS provider and we didn’t had any wildcard configured or apex domain configured to the general load balancer.

So what you suggest is to move the apex domain to the netlify load balancer and then add each third level domain as a cname. Is the laod balacer a mandatory requirement? (Right now we are using the Cloudflare CNAME Flattening function for the apex domain)

@hitech95 Welcome to the Netlify community.

You are correct, I forgot about CNAME flattening with Cloudflare. The CNAME for your www2 subdomain does indeed point to your Netlify subdomain. However, your server still shows as Cloudflare instead of Netlify for your apex domain (your www2 subdomain is pointing at Netlify).

|===================== curl check for server ====================
| ---------------------- should be Netlify ----------------------
| ----------------------- welevel.academy -----------------------
< Server: cloudflare

| -------------------- www2.welevel.academy --------------------
< Server: Netlify
|================================================================

Could you please verify that you have added your apex domain to your Netlify account via the dashboard, and that it is connect with your Netlify subdomain?

If I understand you correctly, you are pointing your apex domain and www subdomain elsewhere while trying to troubleshoot this issue. My understanding is that the free Let’s Encrypt certificates attach to the apex domain, so if it doesn’t point to your Netlify site it might not provision. To have SSL that covers different welevel.academy subdomains on different servers, I believe you need a different (and expensive) wildcard certificate.

Yes this is as intended, that is the main website and we have clients right now using it. So until the isse is solved we are keeping the main domain cached by cloudflare.

Can you giude me with this? Netlify Global DNS page seems to be not configured. (Probably due to the fact that we are not using Netlify dns servers)
But each website have its domain configured:

This might also have to be considered.

Hiya @hitech95!

I see you’ve discovered what we and Cloudflare’s docs all say: “you cannot use Cloudflare’s certificates on other services”. You’ll need to replace the old cert here, if you want it out of our system:

That’s where you installed and left it intalled, so our system will keep trying to use it for hostnames it matches, unless you remove it. You’ll want to FIRST remove all domain names applied to that site that we don’t serve directly, to provision a lets encrypt certificate for it (using the button in our UI to migrate to a lets encrypt certificate).

Let me know how it goes!