Cloudflare proxy and Letsencrypt - SSL_ERROR_NO_CYPHER_OVERLAP

Hi,

For the past 3 days i am trying to get my nextcloud site to work behind the Cloudflare proxy (Orange dns) but it just doesn’t work. It always gives me (in Firefox) the well know SSL_ERROR_NO_CYPHER_OVERLAP error. Tried other browsers like Chrome, Microsoft Edge and Safari but none of them work.

My nextcloud server is hosted on an internal server on Docker and made available via the Nginx Proxy Manager (NPM) hosted on that same server as a Docker container and installed with a LetsEncrypt cert (created with NPM).

If i disable the CF Proxy (from Orange DNS to Gray-DNS) then everything works fine.
Except that it is showing my own public IP address. Therefore i want to use the CF Proxy to hide it.

But as soon as i enable CF Proxy my nextcloud site returns valid CF IP’s (172.67.174.229 and 104.21.31.28 and 2x Ipv6 addresses) but my site is not working anymore.

I have read a lot of posts and seen YT instruction video’s on how to set this up but it still doesn’t work.

The domain is a valid 1-level domain like nextcloud.mydomain.nl so i can not figure out why this doesn’t work. I have also tried to use the root domain like mydomain.nl but it just doesn’t work.
I think it has to be something in CF Proxy which prevents this from working.

I even tried to test one of my TrueNAS servers and disabled the HTTPS redirect and try to access it without SSL via CF Proxy with it always returns the exact same NO_CYPHER_OVERLAP error.

I am out of ideas right now and hope someone can point me in the right direction … or even have the fix for this issue.

Thanks,
Rogier

If you’re seeing this on a :orange: Proxied site, it has nothing to do with your server.

You didn’t mention the hostname, so we can’t troubleshoot, but I’d check the main site’s certificate to see if the cert is valid for example.nl and *.example.nl

I’d also try a command line openssl or the Qualys SSL server test to see if there’s a certificate at that subdomain.

The hostname is “nextcloud.rogierbl.nl”

I have tested my site many time with Qualys SSL.
If i disable the CF Proxy it workes just fine and i get a nice A+ score.
But it does show my public IP, but i want to hide that with the CF Proxy option and still
use my LE Certificate.

And an “openssl s_client” test returns the following:

openssl s_client --connect nextcloud.rogierbl.nl:443 -tls1_2
CONNECTED(00000003)
547968169856:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 218 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1630194445
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

I looks like it doesn’t pass through the CF Proxy and use my LE certificate.

It won’t. Since it’s proxied, a browser will connect to the proxy, and not your origin.

Ok so there is no way to use the CF Proxy to hide my public IP and still use the LE certificate already active on my site?
Because that is what i read and see in YT tutorials … or did i not understand that correctly?

Why would you want to? There’s nothing special about a Let’s Encrypt certificate. Cloudflare’s proxy certificate is just as good.

By the way, you should keep that cert on the server for a fully encrypted connection to the origin. You really need both certificates in the chain.

Ok i was just about to ask why if would still need the LE certs.
But i think i understand now.

The Full strict option would then be the best option.

Thanks for basically confirming my thoughts about the passthrough the CF Proxy.
It just doesn’t work that way.

I will check the CF Certs instead.

Thanks.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.