Getting SSL error - but it all looks setup correctly

Hi all,
My site is down. I’ve just migrated it to CF, the SSL is set to Full (Strict) with a CF issued cert and key on my origin server. I’m getting the wonderful ERR_SSL_VERSION_OR_CIPHER_MISMATCH message - which I note there is plenty of advice on already, but my situation doesn’t seem to fit those.

Universal SSL status is ACTIVE on the Edge Certificates screen.

Bizarrely, if I use an alias address to reach my website, which is still routed through CF, everything works fine. It’s just www.mydomain that fails.

I did have integration with this domain through a different host previously (which would not have been under my own CF account name), I wonder if there are some odd remnants in my setup for this domain?

I note that the www address seems to be working sometimes but not others, according to my Uptime Monitoring but almost never on my Chrome based browser or Firefox. Is there a time delay depending on which Edge server I happen to connect to?

Thanks for any help,
Steve

What’s the domain?

1 Like

Apologies that would have been sensible to include wouldn’t it :slight_smile:

It’s mysticalspiritualpathfinder.com

Everything works if I set www to grey

It also works if I connect without the www (https://mysticalspiritualpathfinder.com) even though the certificates on my origin are exactly the same, since it’s literally the same server. I’ve switched from Strict to Full SSL to try that. No dice.

GTMetrix cannot connect to the www address when it’s is orange, but can when it’s grey. GTMetrix can connect either way to the https://mysticalspiritualpathfinder.com address, orange or grey.

I think something within CF has gone awry here - is there any way to get in touch with engineers to take a look at it for me? My other sites hosted on the same server with the same setup are all working as I’d expect them to

That won’t fix the issue, it will only make your site insecure. Did you switch back?

Not yet, my site is so secure at the moment no-one can reach it :wink:

That’s the best security, isn’t it? I’d switch back, otherwise you might forget later.

Yeah valid point - I’ll do that. Ta.

More info;

curl -Iksv https://mysticalspiritualpathfinder.com

  • Trying 104.21.23.193:443…
  • Connected to mysticalspiritualpathfinder.com (104.21.23.193) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305

curl -Iksv https://www.mysticalspiritualpathfinder.com

  • Trying 104.21.23.193:443…
  • Connected to www.mysticalspiritualpathfinder.com (104.21.23.193) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, handshake failure (552):
  • error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  • Closing connection 0

I have changed no configuration in between those two commands.

I’m at a complete loss here as to why it works without www but will not with www.

It looks like you are using or have previously used a service from a Cloudflare SaaS customer. Have you ever used the www with a service like Shopify?

If yes, you should:

  1. Reach out to your prior SaaS platform and ask them to remove your domain from their systems.
  2. If #1 is not successful, please open up a support ticket with Cloudflare asking them to remove your domain from your prior SaaS platform. Drop the ticket # here once you have one.
2 Likes

Hi Michael,
Thanks for your input. Sorry for the delay replying. I’d already filed a support request when your reply came in. You are correct in that a prior SaaS service is causing the issue - although CF support have advised me that the SaaS platform had been correctly removed already but something is still not right within the CF system.

The engineers are looking into it and I’m hoping for a resolution soon.

3 Likes

Disappointingly after 4 days and with a CF Ticket open (which they initially responded to very quickly) I am still no further forward and the ticket has not been updated.

At what point do I need to decide it’s not really a priority and just decide not to use Cloudflare Pro after all? What would be a reasonable length of time to wait for a fix?

Ta!
Steve.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.