Disabling cloudflare proxy makes sites inaccessible (LetsEncrypt)

Hi there!

So as the title suggests, attempting to access my subdomains after disabling the CF proxy results in connection refused errors as well as Error code: SSL_ERROR_NO_CYPHER_OVERLAP while the sites work fine with CF proxy enabled. Weirdly enough, when searching through the forum I noticed that the issue in reverse was most common- enabling CF proxy would result in an inaccessible website, hence why I am posting.

The following settings are currently configured on CF:

  • SSL/TLS: Full
  • Always use HTTPS: Off (used to be on)
  • HSTS: Disabled (used to be enabled, 3months, currently 2months in)
  • Minimum TLS ver.: 1.2
  • Opportunistic Encryption: On
  • TLS 1.3: On
  • Automatic HTTPS Rewrites: Off
  • Certificate Transparency Monitoring: Off
  • Universal SSL: Disabled (used to be enabled)

Diagnostics center results:

  • Nameserver ✓
  • DNSSEC config ✓
  • DS Record config ✓
  • Connecting to ‘domain.com’ ✓
  • Connecting to ‘www.domain.com’ ✓
  • Existing MX records ✓
  • Redirect loops ✘ request_failed
  • HTTPS status ✘ request_failed
  • Unencrypted HTTP traffic ✘ request_failed
  • Status of encrypted traffic ✓
  • Mixed content ✘ request_failed
  • Site speed ✘ request_failed

That’s odd. The first thing I’d guess is that your server blocks all traffic from non-Cloudflare IP addresses. That would be a pretty obvious reason why connections fail without Cloudflare.

Could that by any chance be related to my letsencrypt config using cloudflare dns validation? I imagine thats the DNS only proxy status in CF though…?

It depends on how you disabled Cloudflare Proxy. If you’re still using Cloudflare DNS, then it wouldn’t be a problem.

But that’s only for the certificate issuance. If you already have a valid cert, then this isn’t the problem.

Give SSL Server Test (Powered by Qualys SSL Labs) a try to have it analyze your unproxied site. It might show you why there’s an error.

If that doesn’t work, give serverfault.com a try, as it’s an issue on your server that you need to resolve.

1 Like

Thanks for the info.

ssllabs came up with no grand issues. Only thing notable is that HSTS appears to be enabled even though I disabled it (I imagine because the max-age hasn’t passed yet) and there seems to be no DNS CAA. Unsure if these are relevant.

Will wait for a month till HSTS max-age has passed to give it another try and ask at serverfault if the same issue resurfaces.

*Note: no changes to cloudflare DNS settings.

HSTS max-age generally doesn’t matter outside of the usual browser experience. It’s like a one-month cookie to remember to use HTTPS. Switch browsers or devices, and you get a fresh start. Clearing that “cookie” in a browser is more difficult, though. Something like the Qualys test shouldn’t remember that HSTS setting.

CAA records and HSTS do not influence each other at all.

This topic was automatically closed after 30 days. New replies are no longer allowed.