Forgot to Disable DNSSEC - Domains Now Stuck and Cloudflare Support Not Responding

I have a domain that was previously registered on DNSimple, and connected to a Wix page. DNSSEC was enabled, and a Let’s Encrypt certificate was issued, and the site worked fine.

I then signed up to Cloudflare, changed the nameservers in DNSimple, and set up DNS records (in Cloudflare) to point to a new (managed) host (Transistor.fm). They require “Full” encryption.

The site stopped resolving, with the error in Chrome:
This site can’t provide a secure connection [mydomain.com] uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.

I’ve tried troubleshooting with the following steps:

  1. Removing the domain from Cloudflare and re-adding it.
  2. Removing the edge certificate and re-issuing. (Tried multiple times, waiting a few days each time).
  3. Turning off the orange cloud to just DNS directly (the managed host will issue their own certificate in this case, but didn’t work).
  4. Transferring my registrar from DNSimple to Cloudflare (I thought there might be something hanging around from the old DNSimple setup, so it’s now deleted in DNSimple and fully registered in Cloudflare Domains.

Note: if I navigate to the Transistor.fm-provided subdomain it works perfectly.

My edge certificate has always been “pending validation” and I haven’t been able to get it to activate. I have another domain on Cloudflare (using Cloudflare Pages) and it activated within 24 hours.

Just to add, I replicated the setup exactly with another domain (matching all the DNS records/setup) and it works correctly. The only difference between the two setups is that the other domain has a validated Edge Certificate, and the Edge Certificate for this domain is still pending and will not activate.

(Note: this other domain was never used before). Is it possible that my old Let’s Encrypt certificate is still hanging around somehow and causing a validation error?

Hi, I am sorry you are experiencing issues with HTTPS on your domain name while using Cloudflare.

Can you share your domain name with us?
Is it Transistor.fm or some other?

  • server: Netlify
  • Working fine over HTTPS → not using Cloudflare nameservers (rather AWS DNS)

Indicates as follows:

May I ask you to try to disable the Universal SSL then re-enable it? For the Universal SSL, yes, I remember this trick helped in some situations - but you still have to make sure you have got the SSL certificate installed and valid one at your server/hosting.

Sounds to me like your SSL certificate expired and you have to renew it.

Kindly, may I ask you to:

  1. Temporary enable the “Pause Cloudflare on Site” option from the Overview tab of the Cloudflare dashboard.
  2. Or, temporary switch A www and A yourdomain.com to :grey: (DNS-only).

Furthermore, contact your web hosting provider, or if experienced a bit more, if you are using cPanel, or maybe Let’s Encrypt, start the process of renewing / reissuing a SSL certificate for your domain(s).

Upon your Websites starts working and resolving over secured (HTTPS) connection, disable the option (or if you went with other way, switch back from :grey: to :orange: cloud).

Therefore, kindly check your SSL/TLS settings at the SSL/TLS tab of Cloudflare dashboard for your domain name and make sure it’s set to Full (Strict) SSL .

Otherwise, I’d suggest you to write a ticket to Cloudfalre support due to your account and/or domain issue (keep in mind it’s weekend) and share the ticket number here with us:

Thanks fritex for the comprehensive troubleshooting steps! I followed them all but it didn’t resolve the issue, so I opened a ticket.

Looks like it was related to DNSSEC - I had that enabled on my old registrar, and didn’t disable it before transferring. Support informed me that they needed to fix it on the backend and would pass it on to the registrar team, though I haven’t heard from them in a week and it’s still not working - will update this thread with a resolution once I have it.

Updating this thread - I have 3 domains that I forgot to disable DNSSEC on prior to transferring to Cloudflare from another registrar (totally my fault, should have disabled).

Cloudflare support says only their registrar team can fix (on the backend) but haven’t heard from them in 11 days now and in the meantime the domains won’t resolve (even with DNS only / orange cloud off). Is this normal?

Other domains that I transferred at the same time that didn’t have DNSSEC enabled at the old registrar are working fine.

It’s after hours, so our buddies in the registrar team are probably off for the weekend.

What’s the ticket # so we can escalate it for when they come in next week?

Thanks sdayman - the ticket number is #2352815

Ok, I’ve added that ticket to the escalation queue.

Thank you!!

1 Like

This has now been resolved by the Support team (thanks again sdayman for escalating!). Their response:

Thanks for your patience in this matter. We saw the 3 domains had Universal SSL stuck in Pending Validation.

We have removed the Old DS records which were creating troubles. The SSLs are now active.

The certs are now active and the domains are resolving.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.