What is the name of the domain?
What is the issue you’re encountering
SSL no longer works with chrome reporting ERR_SSL_VERSION_OR_CIPHER_MISMATCH
What steps have you taken to resolve the issue?
Will add a 2nd post to comment on what I have found.
I noticed that images from cdn.mytvcalendar.com were not displaying. After further investigation I found that under Edge Certificates there were no certificates displaying.
I’ve since disabled universal ssl, left it for a while then enabled it again. This has kicked cloudflare into displaying a certificate which was showing as expired. It has since got through to pending validation.
This is where it gets a bit strange, I use Let’s Encrypt locally on my webserver. With Cloudflare managing the DNS my webserver could not manage the acme challenge locally, to get around this I would add an NS record on Cloudflare called _acme-challenge which then pointed to my server which in turn would handle the TXT record change which worked perfectly.
I believe my domain is stuck in pending validation because the _acme-challenge record already exists but is not a TXT record so it cannot modify it. As an attempt to a short term fix is I have deleted the NS record and added in the TXT record with the correct value.
But what do I do long term? Previously this has worked without any problems so I am wondering if something has changed on the Cloudflare side recently? I’m concerned as another site that is also with Cloudflare certificate is due to expire next month and will causer a world of pain should this issue occur again.
If you are delegating _acme-challenge then Cloudflare’s attempts to renew the edge SSL certificate will fail since Cloudflare creates records that the CA won’t be able to resolve as they will go to your server.
If HTTP-01 requests don’t reach your origin when renewing origin certificates, check that the HTTP request can reach your origin or see your Cloudflare security event log to see if they are blocked…
https://dash.cloudflare.com/?to=/:account/:zone/security/events
Alternatively, use DNS-01 - certbot has a plugin to automate the creation of the required TXT records in your Cloudflare DNS so you can just run it and it does everything.
Or, dispense with this altogether and use a Cloudflare origin certificate, valid for up to 15 years. It requires use of the proxy, but if that’s always in place it’s an easy solution.
2 Likes
Is this something that has changed in the past ~3 months though? I’ve never had this issue previously and now it’s a nightmare to handle.
Are you delegating for just _acme-challenge.cdn or for _acme-challenge as well? If just the former it should be ok.
It’s _acme-challenge.mytvcalendar.com - I have a very similar setup for thegamesdb.net which is working in this fashion. Currently have the NS record set up for _acme-challenge pointing to my server which then hosts the TXT record.
This is the domain I’m most concerned about as it’s getting 2+ million visitors a month.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.