SSL Privacy Error after disabling CloudFlare

thombruce · May 16, 2020, 3:53pm

PLEASE help us help you by writing a good post!

Sites

Multiple sites: thombruce.netlify.app, madebythom.netlify.app + 3 more (affects all sites on my account)

DNS issues

Custom domains: thombruce.com, madeby.thombruce.com

Error message: Your connection is not private. NET::ERR_CERT_AUTHORITY_INVALID

Story:

I had been using Clouflare with Strict SSL and an origin certificate added to the custom SSL option here on Netlify.

I decided to turn off Cloudflare’s proxy. As well as this, I removed their SSL and purged Cloudflare’s cache.

I have had Netlify add Let’s Encrypt certs for each of my sites.

I have waited 24+ hours to see if these issues disappear on their own.

List of issues I’m still seeing:

The privacy error message above. Intermittent, but seeing it most of the time. Checking the certificate in browser, I am still seeing “CloudFlare Origin Certificate”. This should be my custom Let’s Encrypt cert from Netlify?
Noticed that even with Cloudflare’s proxy disabled and no other site having the Cloudflare certificate anymore, if I do attempt to create a new site in Netlify it has the Cloudflare origin certificate added by default … This seems unusual. Is that cert associated with my account in some way?

luke · May 12, 2020, 11:01am

Hi, @thombruce, I checked our database and we have no SSL certificates for this domain except Let’s Encrypt certificates. If you were seeing Cloudflare’s SSL certificates that is because your web browser was being directed to Cloudflare.

My best guess is that your were sometimes being directed to Netlify and sometimes being directed to Cloudflare. This would be caused by the time to live values in the previous DNS records:

If there are other questions about this, please let us know.

thombruce · May 12, 2020, 2:05pm

Thank you, Luke. Yes, today I seem to be able to access my sites without issue… but it has been intermittent, so we shall see.

I do have a follow-up question relating to last issue I described above. I’ve just gone and created another site to see if this is still happening.

App name: priceless-newton-acdfec.netlify.app

Custom domain: priceless-newton.thombruce.com

Having just added this site and a custom domain, having done nothing else…

…I am still seeing a custom certificate applied to the domain by default in Netlify:

This is why I wondered if that certificate was somehow associated with my account or… I don’t know why Netlify keeps applying it by default (it is, of course, invalid with Cloudflare now disabled).

Any thoughts?

luke · May 16, 2020, 2:14am

Hi, @thombruce. Well, I was wrong. There was a certificate I didn’t find with my original search. (I’ve identified my mistake so I won’t miss a certificate like this in the future.)

That is a third-party SSL certificate uploaded to our service. It isn’t a certificate we created.

Our system will apply a custom certificate to a site if one has been uploaded to a different site. This certificate was uploaded to the site with the API ID of e733c1ff-ffd9-42c2-9d87-afbcecf5f6f4 (and this is a site which no longer exists).

I’ve removed that certificate now. It won’t auto-apply to your sites anymore.

Do you want to use the automatic Let’s Encrypt SSL certificates for this site? (“This site” meaning the one with the name priceless-newton-acdfec.netlify.app.)

If so, there is a custom domain assigned to it which doesn’t have the required DNS record created. This will prevent us from creating the automatic Let’s Encrypt certificate for this site. However, if the required DNS record is created we can manage the SSL for it. The instructions for creating the DNS records can be found below:

Please let us know if there are other questions about this.

thombruce · May 16, 2020, 2:14am

Thank you, Luke. No, I created “priceless-newton-acdfec” as a test/demonstration to see if the phenomenon I was experiencing still happened and to gather further info.

Thank you for removing that certificate. I was looking everywhere for a clue as to why that was happening. I shall mark this as solved now. Thank you very much.