It's revoked the certificate.

Oh. Wait.

It'll be regenerating it.

I'll leave it and we can check tomorrow.

That's probably what happened before then, if they revoke certs when they no longer detect you pointing at them

There's no reason it would do that other than a DNS change.

It's because I've changed it back.

Just now to DNS only.

Some providers do get upset about you not pointing at them

how do I make my anti flood more aggressive I'd like to challenge every user with turnstile if possible

Will leave it and you can check the validity soon. They said it takes them about 20 minutes.

Trust me - it's trusted. Not making it up lol.

Yea, I see the Let's Encrypt cert now. I'm guessing this is the same reason why Full (Strict) fails, they have something that sees you no longer targeting them and stops serving the cert, or something weird

That would make somewhat sense.

You can make a firewall rule that covers the hostnames and force an interactive challenge

If the set up had no issues, the second you disabled DNS Proxy, you shouldn't be able to see any certificate errors, you should just be able to see the certificate normally. It's not "normal" for that not to be the case, something's definitely up

Working now. So I'll proxy it with full strict.

and it's dead, invalid cert

So that's why I need this rule.

Maybe I'm better not proxying it then?

It's either an invalid cert covered by cloudflare valid cert, or just have the valid cert from the provider and no cloudflare. Please advise.

Some providers just don't work with proxy enabled. They are edge cases, but they get upset when they detect the DNS Records aren't pointing at them.

They've got their own CDN/it's a managed service, only thing that you lose out on is the ability to use rules and other CF stuff to modify it

So unproxy as apposed to proxy it with "Full" then?

Let's think in terms of security.

I would say so, yes. "Full" is fake security

Done

I was just testing via curl, overriding the IP it resolves to, curl --resolve forum.rydercragie.com:443:144.202.9.22 https://forum.rydercragie.com/ -vvv -o nul Some of the responses I get contain the right cert

* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=forum.rydercragie.com
*  start date: Apr  5 17:57:30 2023 GMT
*  expire date: Jul  4 17:57:29 2023 GMT
*  subjectAltName: host "forum.rydercragie.com" matched cert's "forum.rydercragie.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]

Some don't

* Server certificate:
*  subject: CN=152i.ml
*  start date: Feb 23 06:26:59 2023 GMT
*  expire date: May 24 06:26:58 2023 GMT
*  subjectAltName does not match forum.rydercragie.com
* SSL: no alternative certificate subject name matches target host name 'forum.rydercragie.com'

It almost seems like some misconfiguration on their end with a specific server serving an invalid cert, especially when it's the valid cert of another customer

They suggest using unproxied. They've just said proxy will break it.

Plus my domain is HSTS preloaded.