CF not assigning Certs?

Hi.

I had a browse for this issue on the forums and found many posts but no solutions.
We have a IIS server for staging using Lets Encrypt Certs.
This has been working fine until the past week or 2 when suddenly some sites started throwing the error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

I noticed when loading the https site that it does not show a certificate so I disabled Universal certs, and 20 min or so later re-enabled them again but alas no change.

We use Full Encryption but not strict. The web server has TLS 1.0 & 1.1 disabled as per best practice, and CF set to accept TLS 1.2 as minimum so I assumed that allows the cyphers to work both ways same protocols.

I tried disabling TLS 1.3 from CF end and again no luck.
Site works fine without proxy, but I do not like exposing the server external, especially due to no trusting web developers with security.

Anyone have the slightest clue what the issue could be?
Just to note.

1 of the sites on same server using LetsEncrypt works fine.
Its throwing me off.

Blockquote Thats not so good. Switch to “strict”.

To switch I need a change request as there are prod sites on the domain. But I do agree that strict is better. (It caused an issue with sites for reasons I do not recall so would need to investigate)
Be a nice feature actually if we could enable strict per site instead of all. Feature request idea.
Anyway. That’s off topic. Ill move on.

Blockquote What is the full URL? And post a screenshot of https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates 1

https://staging.ecommerce.hondamotorbikes.co.nz/

image1076×848 34.1 KB

If I turn off proxy, the site loads with the cert loaded on server.
If I turn proxy on I get the site loading showing no cert, and the error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

Blockquote What is the full URL? And post a screenshot.

https:// (Removed by author)

EDIT: Removed pic & url as no longer required…

Totally agree with strict on. Web Devs do not.
Perhaps one day I will get the better ear from management to talk to. (I raised various concerns but nothing much came of it.)

Site with proxy off works fine with cert as I knew it would.
But the error today with proxy on appears to be different.

ERR_CONNECTION_RESET

I’ll go check audit logs to see if I made a change without realizing.
Bit unexpected.

EDIT: never mind. On Chrome issue persists. On MS Edge Chromium it throws a different error.

I’m shocked it actually worked at all. Your Universal cert only covers example.co.nz, and *.example.co.nz. But not *.*.example.co.nz, which is what you would need in order to cover staging.ecommerce.example.co.nz.

I’m shocked it actually worked at all. Your Universal cert only covers example.co.nz , and *.example.co.nz . But not *.*.example.co.nz , which is what you would need in order to cover staging.ecommerce.example.co.nz.

omg why did I not see that. Facepalming right now for that oversight.

I think you are 100% correct. I’ll go sort that out.
The devs recently changed the DNS from staging to staging.ecommerce.

Thanks for the info.

This topic was automatically closed after 30 days. New replies are no longer allowed.