epiz_32322799
CNAME in cloudflare checks out with the infinityfree SSL wizard but it fails. I’ve tried 4 times over the last day or so. It’s set to “DNS only” in cloudflare, as instructed. DNS is working and updated and a DNS record search shows no errors that I can see.
The infinityfree error on failure is:
“SSL certificate error: The provider returned an unknown error. Please try again later.”
The CNAME records passed. What happens when you click verify domain?
I get a pinwheel on the bottom of the screen which tells me I can refresh the page. When I refresh or wait and go back to the main SSL page the status shows “failed”. It’s reusing the same cname code so it doesn’t hurt to retry, right?
I checked your domain and orders.
I think this issue is caused by other DNS records at Cloudflare interfering. When I do a DNS TXT lookup for _acme-challenge.(your domain), I get two TXT records returned directly by Cloudflare.
If you remove these, Cloudflare should respond with the CNAME record instead, which Let’s Encrypt will then use to find the real TXT record on our servers.
Can you please check your DNS records at Cloudflare and see if there are any TXT records for the _acme-challenge subdomain? And if they are there, remove them?
That said, I do have a hunch that the records might not be there. It might be that these TXT records were published by Cloudflare on your domain. Cloudflare recently started using Let’s Encrypt certificates for some sites hosted with them, and it seems your domain is using one as well. To get that certificate, Cloudflare would have to publish Let’s Encrypt validation records on your domain as well, and those would likely take precedence over our records.
If so, that would mean you cannot get a Let’s Encrypt or ZeroSSL certificate from us on a domain using Cloudflare. But you could still use GoGetSSL.
This isn’t great. On the other hand, it does beg the question why you want a Let’s Encrypt certificate from us when you’re using Cloudflare already. If you’re using Cloudflare, you can just get a self signed certificate and set Cloudflare to “Full” SSL mode, and you won’t have to worry about SSL certificates again for the next decade.
Thanks for looking into this for me!
I added a TXT entry before I created this ticket while reading through the manuals regarding the acmechallenge plugin information on Let’s Encrypt. I’ve since removed that one TXT I added early this morning. But the issue existed before I added that TXT record.
I’ve also enabled and disabled cloudflare flexible SSL yesterday and then later tried “FULL(Strict)” using the infinityfree generated self-signed cert which of course failed browser checks. This is when I switched to the letsencrypt option on infinityfree and added the cname entry.
I don’t believe cloudflares flexible option is a secure solution for our needs. We may enable purchases with credit cards on the website eventually or host sensitive information and would want full ssl for that.
Here’s the current setup in cloudflare. No TXT records other than for dkim, dmarc and spf.
While looking over the cloudflare account I noticed that, under the SSL section that the submenu “edge certificates” had certs enabled there. I think those might be the two TXT entries you noticed? I just disabled “Universal SSL” entirely which removed them. So maybe that will solve the issue? Should I wait?
When I first set up the infinityfree account I added mx and spf txt entries. When I ‘dig domain.com TXT’ the only TXT record I see is the spf record I added to the infinityfree host account. Should I remove what I added to the host account cpanel? Or does it even matter since cloudflare is the nameserver now? Wondering why the spf shows up but not the dkim & dmarc TXT entries.
Your DNS records are looking all good. But when I do a TXT record lookup on _acme-challenge.(your domain), I see two TXT records are being returned, and no CNAME record.
You can verify it here by replacing the “example.com” part with your own domain.
In normal circumstances, the response would also show the CNAME record, and possibly some TXT records behind the a previous certificate order link to the CNAME host, like this:
But these TXT records don’t show up in Cloudflare, which does appear to confirm my hunch that these records are internally generated by Cloudflare.
You can use the self-signed certificate with “Full” SSL mode, but not with “Full (strict)”. If you use a self signed certificate with “Full (strict)” mode, you’ll get a Cloudflare error page saying the SSL certificate is invalid.
If you get an actual browser SSL error, that means that there isn’t (yet) a Cloudflare edge certificate. But when I try to open your site now, I do get an HTTPS connection with a Let’s Encrypt certificate from Cloudflare.
We recommend going for “Full” SSL mode with a self signed cert because it’s easiest to setup and maintain, and provides enough security for most projects.
I think they are related, yes. But I’m not sure disabling Universal SSL will remove those records. And I’m not sure if you’ll be able to get an SSL certificate on the Cloudflare edge, and if it’s possible, that it’s easy to maintain. I definitely don’t think it’s the way forward.
When you’re using Cloudflare, you’ll have two SSL certificates: an Edge Certificate and an Origin Certificate. The Edge Certificate is created automatically by Cloudflare and is what your visitors will see. The Origin Certificate needs to be supplied by you and is not visible to visitors, but does determine the SSL security level you can use.
To not go into explainer mode, there are a few ways forward I can see for you:
You can use GoGetSSL because it uses a different validation mechanism than Let’s Encrypt and ZeroSSL, which won’t be affected by this issue (if it works the way I think it does).
Thanks for your time and attention to this.
- You can set Cloudflare’s SSL mode to Full and reinstall the Self Signed SSL certificate on your domain. That’s secure enough and is easy to set up.
The problem with this is option is that when I set it up this way and visit the site on my phone I got the error “This site may be impersonating [domainname]” and the details of the error state it’s because the site is using an unsigned certificate. Most site visitors won’t get past that as it’s quite alarming for less technical users and they’ll abandon trying to visit the site.
- You can get an SSL certificate from GoGetSSL through our Free SSL Certificates tool and install that. That way, you’ll be able to use “Full (strict)” SSL mode in Cloudflare.
It might have to be this. Seems as if it may be the only option.
- You can stop using Cloudflare entirely and switch back to our nameservers where publishing the CNAME records just works.
[/quote]
I have no pressing need for cloudflare particularly. It’s just a nice extra with some analytics options I like. And their CDN makes this work well. But we require dkim and dmarc records and I believe that’s not possible with infinityfree. Is that correct?
I did notice this option which I already disabled earlier this afternoon. So maybe the certs were from this option being enabled earlier?
Also, please search crt.sh to view certificates issued for the domain. Is there any information there that’s useful? I see several renewals, all from today and yesterday and they came from google. Could these be the source of my problems? One just renewed today. It’s from our current (soon to be former) email provider. They also previously hosted the website. I thought only one certificate could be active at a time per domain? Those recent certs are for email only, maybe? SSL encryption and DNS are something I need to learn more about , admittedly 
You can click on “crt.sh ID” for more in-depth certificate information
Here’s what it shows currently
That is not what Admin said. You can get a Self Signed certificate and install it, and as long as you use Cloudflare with SSL/TLS settings at Full, your visitors won’t (shouldn’t) experience any SSL/TLS-related errors.
You are correct.
Yes, but if you follow my recommendation above, you will need to enable this again, otherwise Cloudflare won’t issue any valid Edge certificate for your domain.
Cloudflare uses three issuers: Their own CA, Let’s Encrypt, and Google Trust Services.
No, many can be active, however, only one certificate can be used at a time. Cloudflare recently added a Backup Certificates program for all free users, you can read more about it here.
I am a little curious why there were so many issuances today and yesterday, but as long as you have a working certificate installed (through whoever), you’ll be fine.
You can get a Self Signed certificate and install it, and as long as you use Cloudflare with SSL/TLS settings at Full, your visitors won’t (shouldn’t) experience any SSL/TLS-related errors.
Well, I tried this in infinity-free. I setup the self-signed certificate and installed it into the hosts cpanel. Then set cloudflare to full. It worked but the browsers I tested it with gave the error “This site may be impersonating [domainname]" and the details of the error reveal it’s because the site was using a self-signed certificate. The details of the certificate showed “Infinity Free” as the issuer
You are correct.
Ok thanks for clarifying. This confirms that it’s not an option. We require dkim and dmarc. We had problems with spam sent from our domain and other issues without them.
Yes, but if you follow my recommendation above, you will need to enable this again, otherwise Cloudflare won’t issue any valid Edge certificate for your domain.
For the moment I’ve copied the site to cloudflare pages (just to test it out) and it’s all working with their ssl properly. It’s a very small site and seems to be a good fit. I would like to use infinity free in the future for this or other domains possibly. So I’m still trying to understand all the details.
No, many can be active, however, only one certificate can be used at a time.
Can one cert be active for an email host and another for a web site? I assume this is the case but I’m uncertain what you mean.
Something about this isn’t right. You installed the SSL correctly and set Clouldflare to Full. My best guess is that you are experiencing browser caching. Try clearing your cache (or using Incognito) and see if it works. It should, based on the setup you have described here.
If you would like me to test, just PM me (by clicking on my profile icon, then message), and I’ll check it out.
You can issue many certificates for a website, in this example I’ll use wackyblackie.gq. I could go and issue 300 certificates, and they would all be active. However, I can only install one at a time, and the one I installed would be the ones browsers would use. I’m not going to get into email security, though, because it is a little harder to explain, but both use E2EE with X.509 certificates.
Try clearing your cache (or using Incognito) and see if it works. It should, based on the setup you have described here.
I can’t explain it but, I did test this using three different browsers on mobile and clearing the browsers caches each time too. It’s not setup that way anymore so I’d have to change it back to test it. I might wait a day or two then swap back to infinityfree and see if it works then.
So did it work?
Right now it’s working yes but that’s because I have it setup in Cloudflare “pages” so they’re hosting it now too.
I also just noticed that I hadn’t deactivated our google workspace account which is where it was previously hosted. I was going to wait to deactivate the domain from google workspaces once the new email and web host was set up and working. But that may have been part of the problem too, maybe? We’re transitioning the email later this week so I could try again once the workspace account is deleted if that’s part of the problem.
The registrar for the domain is not cloudflare, I’m just using their services. So if I want to use infinityfree in the future couldn’t I simply delete the domain from cloudflare and swap back to my registrars nameservers? If the cname ssl validation works with the registrars nameservers that may solve the SSL problem, yes? They allow dkim and dmarc entries too which would makeup for the fact that infinityfree doesn’t.
That’s impossible. Or at the very least unrelated.
What kind of certificate you install on your hosting account only affects the connection between Cloudflare and your site. It absolutely cannot affect the connection between your visitor and Cloudflare and can never result in an SSL error generated by the browsers/devices of visitors.
That error was caused either by Cloudflare not having finished setting up your Universal SSL certificate, or because your phone was connecting directly to your hosting account (because of DNS caching or because the Cloudflare proxy wasn’t enabled for the DNS record).
When you have Cloudflare setup with Full SSL mode and a self signed certificate on your hosting account, all devices will see a fully trusted SSL certificate and no SSL errors at all.
That’s correct. Although you could use Cloudflare’s DNS without the web proxy, or use a different DNS provider entirely.
The problem is not that the certificates exists, the problem is that to get those certificates, Cloudflare installed hidden DNS records on your domain, and that Cloudflare responds with those hidden records to queries instead of the records that you set.
Even after the certificates have been issued and even after disabling Universal SSL, the records were not removed by Cloudflare, and I doubt there is any way to delete them at all.
Please note that after switching your domain’s nameservers from our servers back to Cloudflare (or any DNS change for that matter) are affected by DNS caching, which means it may take up to 72 hours to take effect.
So if you swap your nameservers to Cloudflare and then install the Self Signed certificate, you may still see SSL errors on devices. But that will fix itself automatically within those 72 hours. And after that, you won’t see such errors again.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
