Cipher mismatch error blocking certain users from accessing a site

Hi all. I’m hoping I am in the right place for your help.

I’m running a site on a cPanel shared hosting platform, for a not-for-profit social and flying club (https://bristolaeroclub.co.uk). Originally, the website was covered by an SSL certificate generated by the cPanel AutoSSL. Then, I created a cloudflare account and followed the instructions to get the website to use cloudflare, which included changing the nameservers.

It all seemed to be going fine, but in the not-too-distant past, club members started reporting that they couldn’t access the site, as they were given security warnings. The warning I have been made aware of is:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Although I believe there may have been more. This seemed to be isolated to only certain users and not, for example, all users with a certain browser, although the users that did have issues were generally using either the BT ISP, or a Microsoft browser, or both.

Yesterday, I did a server test on ssllabs.com. That test revealed that using the Cloudflare CDN SSL, the tests on IPv4 worked fine, whilst the tests on IPv6 failed. It then generated an ‘inconsistent server configuration’ warning.

I couldn’t understand why this was. However, when I checked the error log in my cPanel account, I saw this:

AH01630: client denied by server configuration

That does tally with the ‘inconsistent server configuration’ warning from SSL Labs. At the moment, since I have no clue how to solve the issue, I have redirected the nameservers back to the host (HostPresto, in the UK) and have reinstalled autoSSL, which seems on the surface of it to have solved the access issue for certain users.

My issue is, I really want to make use of the Cloudflare CDN, for the potential performance and security enhancements. I just can’t use it whilst it is blocking access to users. Now, I know the website did have an error with a plugin (long since uninstalled) whilst the Cloudflare SSL was active on the site, which coincides with the start of the issues with user access. Also, I had HTTPS redirects active with Cloudflare, but not HSTS.

I am new to the use of Cloudflare and so I would be really grateful if you could help me work out what the issue is, so that I can reinstall the CDN with the confidence that users won’t be blocked again. I am happy to answer any questions/provide additional information that may be of use, to get to the bottom of the issue. I am also happy to re-post the question with a different category, if I am in the wrong place.

Thanks in advance!

1 Like

For starters, forget about Cloudflare’s SSL, that’s just a formality that you need on the proxies as well.

The important part is the SSL certificate on your server, but you seem to have that place. Keep renewing that whenever it is expiring.

As far as Cloudflare is concerned, your domain has been added to Cloudflare but is not using Cloudflare at the moment as you haven’t changed your domain’s nameservers.

1 Like

Thanks so much for the rapid response. So, is it possible to use the Cloudflare CDN, whilst maintaining the SSL through the hosting account, using AutoSSL, so avoiding the Cloudflare SSL?

You’re right though. I’ve got that active and it is set to renew automatically, so that should be fine.

The nameservers were changed to the cloudflare ones, but I changed them back yesterday, as I thought that was the only way of removing the Cloudflare SSL, in order to give access back to those users who seemed to be blocked. At the moment, that seems to have worked.

1 Like

Not only possible, but necessary. But as long as you proxy through Cloudflare you can’t “avoid” the proxy certificates either, but that should not be an issue.

The important thing is that you have a valid certificate on your server and a valid certificate on Cloudflare, but Cloudflare takes care of the latter on its own.

If you switched nameservers right now, your site should actually load fine via the proxies.

image

Also, if you don’t switch the nameservers soon, Cloudflare will remove the domain from Cloudflare.

1 Like

Ah, I see. When I had installed the Cloudflare CDN with its SSL, I noticed that the AutoSSL had been disabled, so there was no SSL on the hosting server, just on Cloudflare. Could that have been part of the issue? It really sounds like it, from what you are saying.

Thanks for the pointer about changing nameservers again. I’m going to trial a reinstalling of it on a subdomain and then if that works, I’ll extend that to the full domain.

1 Like

There are occasionally issues with renewing certificates when the proxies are enabled.

You could also get a Cloudflare Origin certificate instead, that might be easier to configure.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

1 Like

That’s not a bad shout actually. Thanks for the tip. I think I’ll play around with the certificates on a subdomain and try to get it to work that way.

1 Like

Most welcome :slight_smile:

Origin certificates are easier to handle as you can have them issued in the UI and they can be valid for up to 15 years, but they are only valid in a proxied context, as they are only trusted by Cloudflare but not browsers.

If that’s fine with you, you might want to get an Origin certificate instead. Plus, make sure your encryption mode is “Full Strict” as otherwise the connection will still be insecure.

In that case you should be good to go :slight_smile:.

2 Likes

Thanks, that makes sense. I think the encryption mode was Full Strict, but there was no Origin certificate installed and no AutoSSL certificate installed on the server, which certainly could have been the issue.

Well, I’ve got ideas to be working on, so it’s all good! Have a good weekend! :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.