SSL changed to Let's Encrypt from Custom Certificate - not working consistently now

Hi!

site: docs.tezos.domains

We have switched from the Cloudflare Origin certificate on the site yesterday to using a Let’s Encrypt trusted certificate on docs.tezos.domains.

It seems like it’s still not fully functional across the Netlify CDN network.

On some computers I receive a proper certificate (Let’s Encrypt), on some, I am still getting not trusted Cloudflare Origin (that was used previously).

I have tried renewing the certificate 30 minutes ago with no apparent change in behavior.

It seems like some part of the Netlify CDN is still serving the old certificate instead of the current trusted one.

edit:

curl -v https://docs.tezos.domains
* Rebuilt URL to: https://docs.tezos.domains/
*   Trying 104.198.14.52...
* TCP_NODELAY set
* Connected to docs.tezos.domains (104.198.14.52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

using

echo | openssl s_client -showcerts -servername docs.tezos.domains -connect docs.tezos.domains:443 2>/dev/null | openssl x509 -inform pem -noout -text

I am getting

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:da:af:0b:a3:84:85:11:1a:9d:8f:9b:c8:b8:ec:71:ee:5c:03:3a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
        Validity
            Not Before: Jul  8 13:56:00 2020 GMT
            Not After : Jul  5 13:56:00 2035 GMT
        Subject: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:99:87:2b:98:7c:35:2b:ba:b0:e5:40:b7:65:2c:
                    84:5e:7f:a0:54:31:92:be:25:91:a9:49:ff:3d:23:
                    97:c6:c6:46:6e:61:08:5b:1f:9b:00:5e:68:ac:36:
                    e9:65:7b:3b:36:72:91:f1:67:78:46:ab:b0:d6:ee:
                    d5:66:16:da:90:a4:cb:75:fd:03:fa:95:84:d1:7e:
                    bd:14:f3:99:68:ff:74:c1:e1:ba:f2:e8:b1:be:1b:
                    6d:18:5d:f9:ca:ab:57:4b:91:ff:0c:31:d7:f7:d9:
                    93:92:9a:91:c6:36:35:67:02:25:c8:d3:67:3d:4f:
                    70:52:68:85:24:aa:f4:04:29:e2:77:e5:d6:99:fc:
                    75:cb:43:27:99:c4:1b:af:78:b2:1c:f3:36:1c:39:
                    58:b0:cf:9b:1e:27:26:84:a5:0c:5d:a4:65:a8:e5:
                    06:dc:1a:5e:5f:48:99:9e:dc:e7:27:58:9f:c4:77:
                    2c:f7:03:87:d8:7d:36:60:1d:c7:c9:34:c8:26:fe:
                    0c:b9:c7:99:7c:b0:6d:b8:20:93:c2:bf:f0:7f:73:
                    cc:a3:1f:0a:da:c9:60:5e:40:fa:4a:6a:32:dc:a7:
                    cc:8c:d9:1d:d2:b9:b9:0d:58:b9:57:b1:af:74:c5:
                    b2:a0:57:7e:ee:11:e7:1c:01:a0:41:b8:cd:83:73:
                    c7:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                40:42:C6:46:D3:6C:CF:52:1B:AB:9A:14:FF:D7:5C:52:C4:B9:F8:61
            X509v3 Authority Key Identifier:
                keyid:24:E8:53:57:5D:7C:34:40:87:A9:EB:94:DB:BA:E1:16:78:FC:29:A4

            Authority Information Access:
                OCSP - URI:http://ocsp.cloudflare.com/origin_ca

            X509v3 Subject Alternative Name:
                DNS:*.tezos.domains, DNS:tezos.domains
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cloudflare.com/origin_ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         0a:a1:fa:f1:15:bf:d0:e0:03:c2:91:d8:e3:6e:97:8c:cb:8c:
         0e:7d:fd:87:1f:94:9d:bc:70:65:da:68:d4:8d:bd:6e:ed:fc:
         16:40:9b:6c:d1:39:39:bc:c1:6c:64:9d:ec:b5:01:d9:82:c6:
         97:00:43:be:75:ad:00:94:35:4a:05:18:64:6a:3d:4c:dc:c9:
         4d:ff:07:57:82:d3:e1:fe:f7:81:d7:bc:f4:06:9e:4a:6c:5e:
         1f:18:a9:68:1f:fe:41:63:94:81:a4:70:0c:2e:06:b7:e4:25:
         c0:3e:ba:c4:69:cd:ae:7f:0b:bd:2e:e9:50:be:27:c0:7e:ae:
         97:b1:02:40:b6:96:0d:39:35:1a:af:2f:3b:c4:de:39:b4:e3:
         c1:f0:cb:ee:e6:e2:53:53:1b:df:87:b5:47:fa:6f:23:dc:46:
         79:cf:fd:c1:fd:ec:e0:09:17:3d:06:ce:84:18:fd:f2:1d:ba:
         14:f8:b9:f5:90:26:f1:11:af:89:98:86:df:28:2a:ed:61:d6:
         eb:ac:08:00:26:cb:82:87:1e:8f:5f:3d:b0:77:ab:91:4c:49:
         a1:fb:b5:70:45:7a:05:71:e3:34:0d:9e:45:1f:4d:9e:a9:54:
         24:51:b2:78:db:2f:95:05:4b:1f:da:98:e5:f6:cc:1e:02:c2:
         a8:3a:98:6e

Thanks a lot for the help!

Kind regards,
Andrew

@agilev Welcome to the Netlify community.

Do you own / control the tezos.domains apex domain, or only the docs subdomain?

Are you using CNAME flattening?

Can you turn off DNSSEC for your apex domain?

Hi @gregraven !

Yes, we have the full domain.

We are using Flatten CNAME at root

Can you turn off DNSSEC for your apex domain?
if it helps with the current situation, we can do that, but we would rather keep it there if possible. Is DNSSEC the root cause for this?

edit:
if it’s easier we can go back to using Cloudflare Origin Certificate instead of Let’s Encrypt and enable Cloudflare CDN instead of Netlify (and go directly to the Netlify Origin from Cloudflare instead of using CNAME)

Netlify doesn’t work with DNSSEC turned on at Cloudflare.

1 Like

Thanks! That explains it, I wasn’t aware of that constraint.