Trouble with SSL Certificate for Subdomain

Hey everyone,

I’ve been wrestling with a puzzling issue for the past few hours and could really use some fresh eyes on it. I’ve been trying to get an SSL certificate for my subdomain, but despite going through various documentation and making adjustments, I’m still encountering errors.

Here’s the rundown:

  • I’ve ensured that my main domain is signed perfectly, so that shouldn’t be the issue.
  • I’ve checked and rechecked my Cloudflare DNS records, and they seem to be in order. I’ve attached a screenshot for reference.
  • The subdomain appears to be somewhat signed now, but when I attempt to access the Hestia control panel with SSL at, I’m facing difficulties. Chrome throws an error, which I’ve also attached for clarity.

I’ve reached a bit of an impasse here. I’m starting to suspect that there might be something off with my Cloudflare entry, but I’ve exhausted all the resources and solutions I could find or think of.

If anyone has any insights or suggestions, I would greatly appreciate them. Perhaps there’s something obvious I’m overlooking, or maybe someone has encountered a similar issue in the past and found a solution.

Thanks in advance for any help you can offer!

What is that even supposed to mean? Are you referring to DNSSEC? Anyway, onwards to the glaring issues shown in your screenshots.

You cannot use port 8083 with the Cloudflare proxy.

You appear to have tried to solve that by attempting to connect directly to your HestiaCP sever using a DNS Only hostname. Based on the error shown in Chrome, you are presumably using Cloudflare Origin CA certificates to secure the connection between Cloudflare and your origin server. That is good, but the Cloudflare Origin CA is not trusted by browsers. It is only trusted by the Cloudflare proxy. This means that you have broken it by turning of the Cloudflare proxy on that hostname.

There are two easy eays to get this working securely and neither requires much effort. You will need to switch your hostname back to proxied with either method. If you just want to connect to you can use an Origin Rule at Cloudflare to direct that hostname to connect on port 8083.

The other option is to update your HestiaCP configuration to listen on a port that Cloudflare will proxy, such as 2083.

v-change-sys-port 2083

If you plan on using any of the mail related hostnames (other than webmail) shown, you need to ensure that they are set to DNS Only. The same applies to the ftp hostname and any that you plan to usec with any protocol other than HTTP and HTTPS on supported ports.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.