Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSSL via CF and Openhost

xpd

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4578

Retired Mod
ID Verified
Trusted
Lifetime subscriber

#269900 13-Apr-2020 16:58
Send private message

All the time I've run a website and helped others, I've never had to bother with SSL. 

 

And now I'm wanting to implement it on my personal site....but hitting snag.

 

Site hosted with Openhost, DNS with Cloudflare and SSL Cert via Cloudflare.

 

So I've generated a cert with CF, copied the supplied cert info.

 

Gone to Openhost, and added cert (via text paste) to the SSL section, which it accepted.

 

Set my site (Wordpress) to use https://www.xpd.co.nz/

 

But getting invalid cert error when visiting my site.

 

What have I done wrong ? :)

 

CF gave me 3 lots of text (keys).

 

 

 

Any ideas ? :)

 

Ta

 

 




XPD / Gavin

 

LinkTree

 

 

 

Filter this topic showing only the reply marked as answer Create new topic
BlakJak
1330 posts

Uber Geek
+1 received by user: 735

Trusted

  #2460673 13-Apr-2020 17:02
Send private message

Google gave me https://community.cloudflare.com/t/ssl-issue-unknown-issuer-from-firefox/62260




No signature to see here, move along...



richms
29098 posts

Uber Geek
+1 received by user: 10209

Trusted
Lifetime subscriber

  #2460674 13-Apr-2020 17:03
Send private message

I thought that the certs from cloudflare were not for end users?




Richard rich.ms

danfaulknor
974 posts

Ultimate Geek
+1 received by user: 533

Trusted
Prodigi
Subscriber

  #2460675 13-Apr-2020 17:05
Send private message

Judging by the IP returned for www.xpd.co.nz you're not proxying through Cloudflare. The origin cert is not trusted by browsers, only by Cloudflare. Once you're proxying through Cloudflare with SSL enabled, they'll generate a valid cert for you and present that to visitors, while using the one you got from them (Cert + key) to encrypt traffic between Cloudflare and OpenHost




they/them

 

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.



jarledb
Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2460678 13-Apr-2020 17:07
Send private message

I am guessing that those certs are for encrypting the communication between Cloudflare and your site, when you are using Cloudflare's caching and WAF.

 

Any reason you are not using it? Especially for blocking brute force logins etc, it's very useful.




Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

xpd

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4578

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2460689 13-Apr-2020 17:33
Send private message

danielfaulknor:

 

Judging by the IP returned for www.xpd.co.nz you're not proxying through Cloudflare. The origin cert is not trusted by browsers, only by Cloudflare. Once you're proxying through Cloudflare with SSL enabled, they'll generate a valid cert for you and present that to visitors, while using the one you got from them (Cert + key) to encrypt traffic between Cloudflare and OpenHost

 

 

Bingo :)

 

Thank you kind sir, choc fish for you :)

 

 




XPD / Gavin

 

LinkTree

 

 

 

freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41038

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2460761 13-Apr-2020 20:06
Send private message

Make sure to lock your site to only accept connections coming from these IPs https://www.cloudflare.com/ips/




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 
 
 
 

Shop now for Dyson appliances (affiliate link).
michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2460765 13-Apr-2020 20:15
Send private message

Also,

 

- Ensure that xpd.co.nz is pointing towards your Openhost server and www.xpd.co.nz is a CNAME to xpd.co.nz (currently, xpd.co.nz is pointing towards what I presume to be your BigPipe IP).
- Enable HSTS is enabled with the following settings (note, this prevents you from ever using non-encrypted HTTP on your site which is not at all a bad thing) - this is set in Cloudflare under SSL/TLS --> Edge Certificates:

-- Status: On
-- Max-Age: 12 months
-- Include subdomains: On
-- Preload: On

 

- Add your site to the Preload list: https://hstspreload.org/
- Ensure Automatic HTTPS Rewrites is enabled along with TLS 1.3, set your Minimum TLS Version to 1.2 and disable Opportunistic Encryption.

 

There is no reason these days to use HTTP. SSL certificates are free.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

xpd

xpd

Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4578

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2460767 13-Apr-2020 20:18
Send private message

Thanks MM. Yeah Ive got to do some tidy up there :)




XPD / Gavin

 

LinkTree

 

 

 

timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2460798 13-Apr-2020 20:59
Send private message

freitasm:

 

Make sure to lock your site to only accept connections coming from these IPs https://www.cloudflare.com/ips/

 

 

Plus optionally your own IP, if you want to connect directly.

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright