The message “The change you wanted was rejected” was generated while a user was trying to register for a dance event via website www.wcslux.com. The app is developed in Ruby on Rails, deployed on Heroku. The website is using Cloudflare to handle SSL on the custom domain www.wcslux.com.
What steps have you taken to resolve the issue?
checked the logs on Heroku
The Production.rb file specifies that config.force_ssl = false given that we are using Cloudflare to handle SSL on the WCSLUX domain. We kept the config.force_ssl set to false:
config.force_ssl = false
submitting a registration via the form on Heroku instead of the custom domain WCSLUX works perfectly fine.
Why does the error message appear when I submit a registration via the custom domain WCSLUX?
checked the Always Use Https parameter in Cloudflare
checked the SSL/TLS encryption mode in Cloudflare. It is set to Flexible.
I have also tried to change the SSL/TLS encryption mode in Cloudflare from Flexible to Full and next to Full (strict)… Unfortunately, when I launch the website a “SSL handshake failed” message appears with id 525.
You should never use that setting. It always leads to an insecure site. It also misleads visitors into believing that their connection is secure when it really isn’t.
You need to fix your origin certificate. It is best to pause Cloudflare or set the affected hostnames to DNS Only while you do so.
This option can affect the ACME HTTP-01 challenges used to renew origin certificates. The following settings can help prevent that disruption.
Thank you!
I have activated the Automated Certificate Management for my app in Heroku.
I have set the encryption mode to “Full (Strict)” as recommended.
This makes my app working however :
I would like to understand your recommendation regarding the ACME HTTP-01 challenges.
According to you, I should setup a specific Cache rule and a specific Configuration rule, right?
I have created both rules, the cache and the configuration rules and it worked.
I would like to have some high-level background information to really understand the purpose of these 2 rules.
You are forcing that path to be requested over HTTP and you are preventing caching and security settings fom interrupting the ACME challenge. Depending on other settings or rules that you employ in Cloudflare, you may need to make further adjustments. For example, if you use geo-blocking, you should exempt that path form such restrictions.
DNS Only while you do so.