This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor. They return the 54.36.225.114 when asked from my residential address:
Unfortunately, they are telling people to just use Googles dns instead, blaming the issue on CF.
it is because of 1.1.1.1
try 8.8.8.8
On 5/31/18, Taubin <me@myemail> wrote:
> When attempting to use your site from New Zealand, I am receiving the
> following error:
>
> An error occurred during a connection to archive.is. Cannot communicate
>> securely with peer: no common encryption algorithm(s). Error code:
>> SSL_ERROR_NO_CYPHER_OVERLAP
>>
>> The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>> Please contact the website owners to inform them of this problem.
>>
>
> This happens when attempting to use archive.is or archive.today
>
> If I use archive.fo it works just fine.
>
> This seems to be an issue with your cdn:
>
> taubin@Taubin-Desktop /mnt/c/Users/taubi ->
> 05:56 PM Thu May 31$ nslookup archive.is
> Server: 1.1.1.1
> Address: 1.1.1.1#53
>
> Non-authoritative answer:
> archive.is canonical name = cdn-wo-ecs.archive.is.
> Name: cdn-wo-ecs.archive.is
> Address: 104.27.170.40
> Name: cdn-wo-ecs.archive.is
> Address: 104.27.171.40
>
> Cheers
Here’s the output from a +trace dig from our New Zealand datacenter:
$ dig +trace archive.is
; <<>> DiG 9.9.5-9 <<>> +trace archive.is
;; global options: +cmd
. 511617 IN NS l.root-servers.net.
. 511617 IN NS m.root-servers.net.
. 511617 IN NS a.root-servers.net.
. 511617 IN NS b.root-servers.net.
. 511617 IN NS c.root-servers.net.
. 511617 IN NS d.root-servers.net.
. 511617 IN NS e.root-servers.net.
. 511617 IN NS f.root-servers.net.
. 511617 IN NS g.root-servers.net.
. 511617 IN NS h.root-servers.net.
. 511617 IN NS i.root-servers.net.
. 511617 IN NS j.root-servers.net.
. 511617 IN NS k.root-servers.net.
. 511617 IN RRSIG NS 8 0 518400 20180614000000 20180531230000 39570 . nsM7OHweHq87y7CkIi1RGawuHXyt+hpVWQ8mt8IYsRHGr50b1Q1tLEKP 0DGYq+wWtBQ8jcuDi4FYNB5NV2b05NbU8mBcnDqhfUveCVCYTR/z/wfW XBH1qOYnJOJVlniBCLl2p47dKQ6R6f78J7LNs37nQBmP4r/uA4KkM9vY kbk+trjEQ5KWmdiLe2kUyA7ejymZGDJCI3zKap2/1wBAdGCfb2gA0GOh 6X3hQJiPZTw7js3HVXbfuFOxdrPd0+g/jFAkDAjuymc/CsDNi/vPXGeS U4I1SRuhVcWvfv0c6OG5uw15uaWL1Jp+boctmiYb1vI7OqTzMGL3IsAI 4hsu3w==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 4 ms
is. 172800 IN NS sab.isnic.is.
is. 172800 IN NS isgate.is.
is. 172800 IN NS durinn.rhnet.is.
is. 172800 IN NS sns-pb.isc.org.
is. 172800 IN NS bes.isnic.is.
is. 172800 IN NS sunic.sunet.se.
is. 86400 IN DS 26726 8 2 6984FEF569CFDB2CE00AFC62B5763AD50306EB0D4816A7C6CF921BF6 6B12245A
is. 86400 IN RRSIG DS 8 1 86400 20180614050000 20180601040000 39570 . rz3fqinFgKxiJRz/AuZA1sazohsF+G4UMf0Dib1SdDsS+JIWbNEGR66R 6JgIH0bvlCLBK0CgXXkhzEAINxRTvO67s0r09oHnOA0gB/qucmSbPjlm OOHnwsqdzJI93oxqXKG7fM23OEqHBNHJPG57gMNlKmzF9WqeIaOOsMs7 X1adFGlx/XHQiKPr74RDEmf3fScH/buXDvyhXOnNya9VpRcDSzwhrSpx RqEXv/IXDiG4nYfsAh2dSS9vBGpxMnbX5ZLLI8S++HnwZlqLefvGZsac 9yTHGhmIW5wm6Wro0jUisjCrxndz7XH0mHkyELWsjISZ+TYIiuXoRZDC csp1uw==
;; Received 784 bytes from 202.12.27.33#53(m.root-servers.net) in 153 ms
archive.is. 86400 IN NS anna.archive.is.
archive.is. 86400 IN NS ben.archive.is.
a8nkvoortd3hr2k4mtpgmp7mjqqdam0r.is. 1800 IN NSEC3 1 0 5 7FC1C26569C764AA A8O5LJ9J3KJPEPTQDJJ816PCNAHVMTFS NS
a8nkvoortd3hr2k4mtpgmp7mjqqdam0r.is. 1800 IN RRSIG NSEC3 8 2 1800 20180621174110 20180531121004 41074 is. e3W7UNZEzFsIKkHFmBJpO8+1X4DOpD4vNJanHPr3ISGGAdgYUBFn32QU vrIUxkSZyxJtWayAhlhc3POnJUAWWMU7moajIaPPhFxv+C8L46JxGzxh KJ45wr91p797A/ymLs8MB2AG6mX9VW6ZEujaYo5hLGfi6pWXI3y0z8v6 T8s=
;; Received 352 bytes from 193.4.58.51#53(isgate.is) in 295 ms
archive.is. 300 IN CNAME cdn-wo-ecs.archive.is.
archive.is. 86400 IN NS anna.archive.is.
archive.is. 86400 IN NS ben.archive.is.
;; Received 178 bytes from 188.166.106.79#53(anna.archive.is) in 272 ms
Compare with a DigitalOcean instance:
# dig +trace archive.is
; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> +trace archive.is
;; global options: +cmd
. 84312 IN NS i.root-servers.net.
. 84312 IN NS e.root-servers.net.
. 84312 IN NS m.root-servers.net.
. 84312 IN NS a.root-servers.net.
. 84312 IN NS c.root-servers.net.
. 84312 IN NS k.root-servers.net.
. 84312 IN NS d.root-servers.net.
. 84312 IN NS j.root-servers.net.
. 84312 IN NS f.root-servers.net.
. 84312 IN NS b.root-servers.net.
. 84312 IN NS h.root-servers.net.
. 84312 IN NS l.root-servers.net.
. 84312 IN NS g.root-servers.net.
. 84312 IN RRSIG NS 8 0 518400 20180614050000 20180601040000 39570 . e5YS6umv7yG1juVdLW0FFXLA48qCS1b+xBCmTt5+1KYVsx+j6mPGAHAh Pa3Bx7DWSa+N7kyLbrqkptwr/yhEeE6l5HbhLRQR3zzmvQdnOfcBQbKz jdvXaWfm3+MASt+IaWjtj+KSV0Yf1AD/Jvwex8PtboWIovoCvUCafDbk 5BWz66mWn+L2sr/sdn+E9HZsUQEzkYwbsqxcciGWhLCnmSwzZHAOe6D1 TFNfQU01foEe/WL+BZ4xcVGk+RxE/uGRefOs9c4OvWCRq9Ac7li8SqEa J5rgSVG9drhG4NcWDsDVmlliWlILs8/wqoEsMVz2dRiMO2Vwe9v5hmr1 2rD/6w==
;; Received 525 bytes from 67.207.67.2#53(67.207.67.2) in 12 ms
is. 172800 IN NS bes.isnic.is.
is. 172800 IN NS sab.isnic.is.
is. 172800 IN NS sunic.sunet.se.
is. 172800 IN NS durinn.rhnet.is.
is. 172800 IN NS isgate.is.
is. 172800 IN NS sns-pb.isc.org.
is. 86400 IN DS 26726 8 2 6984FEF569CFDB2CE00AFC62B5763AD50306EB0D4816A7C6CF921BF6 6B12245A
is. 86400 IN RRSIG DS 8 1 86400 20180614050000 20180601040000 39570 . rz3fqinFgKxiJRz/AuZA1sazohsF+G4UMf0Dib1SdDsS+JIWbNEGR66R 6JgIH0bvlCLBK0CgXXkhzEAINxRTvO67s0r09oHnOA0gB/qucmSbPjlm OOHnwsqdzJI93oxqXKG7fM23OEqHBNHJPG57gMNlKmzF9WqeIaOOsMs7 X1adFGlx/XHQiKPr74RDEmf3fScH/buXDvyhXOnNya9VpRcDSzwhrSpx RqEXv/IXDiG4nYfsAh2dSS9vBGpxMnbX5ZLLI8S++HnwZlqLefvGZsac 9yTHGhmIW5wm6Wro0jUisjCrxndz7XH0mHkyELWsjISZ+TYIiuXoRZDC csp1uw==
;; Received 784 bytes from 199.7.91.13#53(d.root-servers.net) in 2024 ms
archive.is. 86400 IN NS anna.archive.is.
archive.is. 86400 IN NS ben.archive.is.
a8nkvoortd3hr2k4mtpgmp7mjqqdam0r.is. 1800 IN NSEC3 1 0 5 7FC1C26569C764AA A8O5LJ9J3KJPEPTQDJJ816PCNAHVMTFS NS
a8nkvoortd3hr2k4mtpgmp7mjqqdam0r.is. 1800 IN RRSIG NSEC3 8 2 1800 20180621174110 20180531121004 41074 is. e3W7UNZEzFsIKkHFmBJpO8+1X4DOpD4vNJanHPr3ISGGAdgYUBFn32QU vrIUxkSZyxJtWayAhlhc3POnJUAWWMU7moajIaPPhFxv+C8L46JxGzxh KJ45wr91p797A/ymLs8MB2AG6mX9VW6ZEujaYo5hLGfi6pWXI3y0z8v6 T8s=
;; Received 352 bytes from 2a00:c88:10:16::20#53(durinn.rhnet.is) in 492 ms
archive.is. 300 IN A 213.136.87.217
archive.is. 86400 IN NS anna.archive.is.
archive.is. 86400 IN NS ben.archive.is.
;; Received 169 bytes from 2a03:b0c0:2:d0::574:2001#53(anna.archive.is) in 152 ms
You can see that the result returned from anna.archive.is is different, depending on the source IP.
When archive.is’ nameservers are queried from a Cloudflare IP, they return a CNAME entry to cdn-wo-ecs.archive.is. This is the result you see when using our resolvers, which causes the incompatibility between 1.1.1.1 and archive.is.
You can further verify by visiting this third-party website, and seeing the different IP addresses returned by archive.is’ nameservers, depending on the network you’re coming in from.
The fix has to come from the operators of archive.is’ nameservers, namely, them.
Edit: realistically, they just have to fix cdn-wo-ecs.archive.is to resolve to something usable.
Thank you for that, I figured it was on their end, as I didn’t have the issue from any of my servers. I’ll use my vpn while routing to them. Strangely it only happens on 1.1.1.1, none of the other dns servers I’ve tried.
Yes, I’ve seen that as well. Using Google’s DNS does “solve” the problem. However the problem is not caused by Cloudflare and it doesn’t appear that the team responsible for their systems has the desire/ ability to resolve their issues.
It’s an unfortunate reality; if you were using an in-house forwarder you could specify a different resolver for their misconfigured domain…