I’ve recently moved from serving with Cloudflare Origin certs, to Let’s Encrypt ones served by Netlify.
Today we are having a huge problem with serving our netlify website cached by Cloudflare, so we turned cache off (Orange cloud to Gray), without worries because the site is served with good Let’s Encrypt certs, we thought. But nay. Netlify is still serving our old Cloudflare Origin certs, and those are failing. Rending our website unreachable.
Let’s Encrypt cert: Certificate Let’s Encrypt Domains welevel.academy, www.welevel.academy, www2.welevel.academy Created Dec 17 at 9:59 AM Updated Today at 11:34 AM Auto-renews before Mar 23, 2021 (in 3 months)
Served Cloudflare Origin Certificate: NET::ERR_CERT_AUTHORITY_INVALID Subject CloudFlare Origin Certificate Issuer CloudFlare, Inc. Expires on 11 gen 2035 Current date 23 dic 2020 PEM encoded chain
-----BEGIN CERTIFICATE-----
<full length cert here, omitted>
-----END CERTIFICATE-----
How long ago did you make these DNS changes? I ask because what I’m seeing doesn’t match what your settings should be.
In Cloudflare, you need to point your apex domain to the Netlify load balancer IP address, which is 104.198.14.52.
Then you need to point your www subdomain to your Netlify subdomain, not the other way around as you have in your post.
Because you are using external DNS, I would recommend that you set your www subdomain as the primary instead of the apex domain for speed of loading, if nothing else.
Currently, your server shows as Cloudflare instead of Netlify, which is why the Let’s Encrypt certificate won’t issue.
|===================== curl check for server ====================
| ---------------------- should be Netlify ----------------------
| ----------------------- welevel.academy -----------------------
< Server: cloudflare
| --------------------- www.welevel.academy ---------------------
< Server: cloudflare
|================================================================
Consequently, you have an inactive zone with Netlify:
|================== check for inactive DNS zone =================
| --------------- last line should show nsone.net ---------------
;; Received 663 bytes from 37.209.194.7#53(demand.beta.aridns.net.au) in 23 ms
welevel.academy. 86400 IN NS gail.ns.cloudflare.com.
welevel.academy. 86400 IN NS ian.ns.cloudflare.com.
;; Received 98 bytes from 108.162.192.116#53(gail.ns.cloudflare.com) in 32 ms
|================================================================
I think once you get your DNS on the right track, the certificate will attach.
This domain is resolved by netlify but the old wrong SSL certificate is used.
The sweitch to Let’s Encrypt certificate was done 2 weeks ago. We used to have custom provided certs.
Today after disabling CouldFlare proxy we have discovered that old certificates were still used when we thought that those were deleted.
It looks like that there is a propagation/cache issue due to old certs are still used.
We are only using Cloudflare as DNS provider and we didn’t had any wildcard configured or apex domain configured to the general load balancer.
So what you suggest is to move the apex domain to the netlify load balancer and then add each third level domain as a cname. Is the laod balacer a mandatory requirement? (Right now we are using the Cloudflare CNAME Flattening function for the apex domain)
You are correct, I forgot about CNAME flattening with Cloudflare. The CNAME for your www2 subdomain does indeed point to your Netlify subdomain. However, your server still shows as Cloudflare instead of Netlify for your apex domain (your www2 subdomain is pointing at Netlify).
|===================== curl check for server ====================
| ---------------------- should be Netlify ----------------------
| ----------------------- welevel.academy -----------------------
< Server: cloudflare
| -------------------- www2.welevel.academy --------------------
< Server: Netlify
|================================================================
Could you please verify that you have added your apex domain to your Netlify account via the dashboard, and that it is connect with your Netlify subdomain?
If I understand you correctly, you are pointing your apex domain and www subdomain elsewhere while trying to troubleshoot this issue. My understanding is that the free Let’s Encrypt certificates attach to the apex domain, so if it doesn’t point to your Netlify site it might not provision. To have SSL that covers different welevel.academy subdomains on different servers, I believe you need a different (and expensive) wildcard certificate.
Yes this is as intended, that is the main website and we have clients right now using it. So until the isse is solved we are keeping the main domain cached by cloudflare.
Can you giude me with this? Netlify Global DNS page seems to be not configured. (Probably due to the fact that we are not using Netlify dns servers)
But each website have its domain configured:
I see you’ve discovered what we and Cloudflare’s docs all say: “you cannot use Cloudflare’s certificates on other services”. You’ll need to replace the old cert here, if you want it out of our system:
That’s where you installed and left it intalled, so our system will keep trying to use it for hostnames it matches, unless you remove it. You’ll want to FIRST remove all domain names applied to that site that we don’t serve directly, to provision a lets encrypt certificate for it (using the button in our UI to migrate to a lets encrypt certificate).
