Argo Tunnel Migration - ERR_SSL_PROTOCOL_ERROR

I’ve been using Cloudflare Tunnel for several months without any major issues or problems. I installed local Cloudflared service on my network and manually configured the YAML config file. The service seemed stable and access to my resources has been fine. All resources are behind SSL. Certs issued by Letsencrypt for my HTTPS services. Proxied by Cloudflare as can be viewed under the domain DNS settings in the Cloudflare portal.

I recently migrated the cloudflared config to my Cloudflare portal, as per the recommendation. This isn’t the first time I’ve done this, and the first time was a success. However, for this particular domain I am experiencing issues. I can no longer access my resources from the internet and all HTTPS URLs produce the same error from multiple web browsers.

** sent an invalid response. **
ERR_SSL_PROTOCOL_ERROR

I have looked at several other help topics but none of them help in my situation as they typically are not specifically related to Argo Tunnels. It also seems difficult to troubleshoot as I cannot disable Cloudflare Proxying because the tunnel service needs that enabled.
I have tested my services locally and can confirm the SSL certs are all still valid.
The only change I am aware of is the migration of the tunnel configuration management from local cloudflared YAML files to the Cloudflare portal.

The only way I could resolve this issue was to subscribe to the $10 per month advanced certificate service. Immediately resolved my issue.

So the issue is resolved?

The workaround for a Universal certificate stuff with the ‘deleted’ status is to pay for the advanced certificate service ($10 p/m). I don’t actually need the advanced features so it would be nice if the Universal cert would renew properly.

I don’t quite understand - why has the paid service resolved this for you? I seem to be having a very similar issue…

Nevermind, its because of the reason I mention here:

Free accounts only get a Universal Certificate which only covers *.domain.tld, so if you’re trying to publish deep.sub.domain.tld you won’t get a valid cert at Cloudflare, and hence the cert errors.