Yea, makes sense. They've probably got some of the DNS scanning stuff I was mentioning. Perhaps what I saw above is merely propagation delay (of them disabling serving the cert since DNS changed) and not a misconfiguration/bug, the behavior of serving a valid cert of a different customer is odd though

Thanks

The .ml domain isn't in the certificate anymore. Scan again.

They did something on their end? I still just got it once: * ALPN: server accepted h2 * Server certificate: * subject: CN=152i.ml * start date: Feb 23 06:26:59 2023 GMT * expire date: May 24 06:26:58 2023 GMT * subjectAltName does not match forum.rydercragie.com * SSL: no alternative certificate subject name matches target host name 'forum.rydercragie.com'

tbh it's too fast to be something like DNS Scanning, it shouldn't instantly error out the second you turn on proxy. I assume they have some other weird behavior or something else going on, not sure but I suppose the end result is the same eitherway

I did a ctrl + f on here and typed ".ml". No matches. It was listed on the below site before, so yes they must have changed something (automated I imagine). https://www.sslshopper.com/ssl-checker.html#hostname=forum.rydercragie.com

Don't know how to use curl.

It's not on 100% of requests, I get it on every 10th or so request now, before it seemed to occur more

Interesting

Though we are going off topic as it's now unrelated to cloudflare.

If I refresh your website enough, I get the same error on it: (If you want to test this, make sure you hard refresh shift+f5)

Yea true, off topic now. This is the same thing that stops Full Strict from working though, Full would accept a cert from 152i.ml, Full Strict wouldn't.

Is HSTS affecting it do you think?

No

I can't imagine that being the case.

All HSTS does is force all connections to https

This is origin server randomly serving the wrong certificate type issue

I'll mention it to them.

I would specifically mention that domain (152i.ml) and include a screenshot. There's no valid reason I can think of to serve another customer's cert outside of some error on their end

I'd still say that's secure though.

In terms of threats.

please ignore first picture , i have cloud and protection which is the wildcard for all servers under the domain that is giving a OTP for emails

Its throwing this error after i set these rules

that's interesting. seeing as no egress charges. and the font rsms is storing is 300KB. meaning cache 10TB is fine, because cache reserve has the 300kb file in it?

lool

just close your eyes nyaan

nvm it workie now

i guess it had to do some changes on the backend