Hello! I have a site that was working fine over SSL. The universal edge certificate expired 2 days ago and failed to updated to the renewed cert displayed on the Edge Certificate webpage. The site is now having ERR_SSL_VERSION_OR_CIPHER_MISMATCH due to the expired cert.
Previously the site was working fine and kept having the auto renew problem when it the cert expires.
I’ve followed all the common solutions I’ve seen in the community forum here to try and get the expired certificate removed and a new one issued. Nothing has worked.
What steps have you taken to resolve the issue?
- Disabled Universal SSL , waited 15 minutes and reenabled. Tried again waiting 2-3 hours before re-enabling. Didn’t work.
My domain is www.trinax.sg
Seems like you misconfigured your nameserver settings in your registrar:
There should be only 2 nameservers, however you have a third nameserver called
. which is an invalid nameserver value.
Since Universal SSL will require TXT validation when creating or renewing a certificate, the TXT validation record will be added to your nameserver by Cloudflare automatically (except when your domain uses Partial/CNAME setup, which is not the case here). The process may fail when the certificate authority (could be DigiCert, Google Trust Services or Let’s Encrypt) tries to validate if your domain nameserver contains a specific TXT record, but the CA checks against the
. nameserver - which is an invalid one and definitely doesn’t contain the required TXT record, hence it fails.
I’m only seeing the dot because it looks like “anderson” is too long to fit on one line, so the trailing dot is on the next line.
You’re right, I should use another tool to perform the query instead of just using one.
The hostname www.trinax.sg is not orange-clouded. The edge certificate for the domain is valid and was renewed ~18 days ago.
What I’d recommend here is:
- Set proxy status to ON for the hostnames of trinax.sg such as www: Proxy status · Cloudflare DNS docs
- Your origin’s certificate is expired for your site’s hostname. If you do not know how to resolve this, visit SSL/TLS > Origin Server and follow our deploy an origin CA certificate guide to get a free certificate to install on your origin and then set Full (Strict) as your SSL Setting here: SSL/TLS
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.