Custom certificate breaks when Cloudflare is enabled

What is the name of the domain?

xanaxdream.com

What is the error message?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What is the issue you’re encountering

Working certificate breaks when Cloudflare is enabled

What steps have you taken to resolve the issue?

I have read all of the docs and thread in the Cloudflare community section.

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

I have a website hosted on Linode, running Debian 12 Bookwork, served by nginx/1.22.1.

I have used acme.sh in Nginx Mode to create a certificate and configured my site config to use the certificate.

With Cloudflare disabled the certificate works great. The site is recognized by all browsers as secure and scores an A+ on SSL Labs for both ipv4 and ipv6.

However, when I enable Cloudflare the certificate instantly breaks. I get an ERR_SSL_VERSION_OR_CIPHER_MISMATCH in Firefox, and the following error when i curl the https version of the domain: curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

The same happens if I set the domain’s encryption mode to Flexible, Full, and Full (Strict).

If I disable Cloudflare without making any changes to Nginx, the certificate begins to work again. If I enable Cloudflare, and enable Universal SSL I get a valid certificate, but it is not the one that I created with acme.sh, but instead it uses Cloudflare’s cert, which scores a B in SSL Labs.

I would like to use Cloudflare’s security services, but nothing I’ve read has led me to a solution yet.

What steps can I take to enable my ZeroSSL certificate that I have created in acme.sh and is valid, but continue to use Cloudflare?

What happens when you go here and enable universal ssl, https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates?

Welcome to the Cloudflare Community.

The certificate on your Linode is used to secure traffic between your server and Cloudflare. The Universal SSL certificate is used to secure traffic between your visitors and Cloudflare. You should only use Full (strict) to ensure a secure connection between your server and Cloudflare.

If you must use your own certificate at the Cloudflare edge, you will need a Business or Enterprise subscription to access the Custom Certificates feature. This will also require you to manage your certificate replacement when it expires. If you can automate that with the Cloudflare API it may be tolerable in conjunction with a short-lived (90 day) ACME certificate. If you will only be permitting traffic that has passed through the Cloudflare proxy, you may consider using a Cloudflare Origin CA certificate instead.

If your actual objective is to simply increase your SSL Labs score, you may be relieved to know that the certificate used is unlikely to have any impact on the rating. I just ran one of my Cloudflare protected sites through the SSL Labs test and received an A+. Once you resolve your connection issue to your origin server, you should be able to achieve the same score by adjusting your Cloudflare TLS settings.

When I try to connect to your site, my browser replies with xanaxdream.com uses an unsupported protocol. Using curl has a similar result: TLSv1.3 (IN), TLS alert, handshake failure (552): You may need to review your nginx log for clues as to the root cause.

When I enable Universal SSL the site becomes secured by Cloudflare’s certificate, not the one I generated myself locally.

This is better than nothing, but it scores a B in SSL Labs instead of the A+ that my very with ZeroSSL receives, and the Cloudflare universal SSL is incompatible with older browsers… which is fine, but I feel like there must be a way to get Cloudflare to work with my existing cert.

Again, the score of B is caused by settings in your Cloufare account, not whose certificate you are presenting. You can view test results from one of my sites yourself and see that it scores an A+ with Cloudflare Universal SSL.

If you want Cloudflare to present your certificate to your visitors, you need the Custom Certifcate feature that I mentioned in my original reply.

I see. Thank you for your replies.

I have paused Cloudflare on the domain, if you have time to run the SSL Labs test again you will see that it is now scoring an A+. The only change I made was clicking the pause Cloudflare setting, so I don’t think the problem is on my end. However I will admit to being a novice.

Ensure you set your minimum SSL level to TLSv1.2 and enable TLSv1.3 in your dashboard here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates
…which should be enough to score the Cloudflare edge certificate with an A+ (mine is here). May need HSTS enabled as well.

If not, show a link to the results for the test against the Cloudflare edge certificate.

Thank you,

I’ve been playing with settings in CF, and in my nginx site config and I have gotten an A+ using CF Universal SSL.

I needed to do what you said with regard to TLS, and enable HSTS, and use Full (Strict) encryption.

I needed to keep my certificate on my local machine configured in the nginx site config using the ssl_certificate, and ssl_certificate_key properties, and I needed to add the Strict-Transport-Security header.

I didn’t need to customize any other nginx properties such as ciphers or stapling or anything.

Hopefully this helps anyone else having a similar issue. Thank you to everyone who posted here.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.