How to enable non-SNI support for domain

Security
#1

Hi!
I am trying to add payments to my site. But the money trasnfer finishing with error. I created a ticket in provider’s site (kassa on yandex) and got this answer:

As far as we can see, the error is related to the fact that your SSL certificate uses SNI support.
You can solve this problem like this:

  • Ask for a new certificate from your hosting without SNI support.
  • Request an SSL certificate through our Reg.ru partners.

I am not sure i fully understand how Cloudflare works with sertificate. Which sertificate is used on my site ( http://svoyashkola.ru ) now. And where to find the answer ((

Help me plz :slight_smile:

#2

SNI is not certificate but SSL related (unless they meant SANs, which are a completely different thing). You will have a hard time trying to get Cloudflare to work without SNI, as that is not supported anymore. They had that before for the high-end plans but deprecated this there as well AFAIK.

You could always contact sales and ask if any of these plans still support it.

#3

Thanx, Sandro!
1234567
So, maybe the solution is to switch to paid account and upload custom certificate from my hosting?

#4

12345678
12345678754×624 44.1 KB

#5

This will not change the need for SNI.

#6

In this case, what is “certificate from your hosting without SNI support”? How can i get it and use with Cloudflare? My hosting is beget.com, they can solve this problem?

#8

I addressed this in my very first response. These two things are not related. Your host should not be involved here either, only Yandex can explain what their issue is. Either they did not explain it correctly or they have some very outdated technology.

I do remember from other threads here however that Yandex had issues in this area. Maybe use the search

Also their statement “You shouldn’t use SSL with SNI (Server Name Identification) support.” at https://tech.yandex.com/money/doc/payment-solution/ssl-docpage/ is rather interesting.

In short, connections to Cloudflare’s proxies require SNI support. What you could do is have an unproxied record which points straight to your server and let Yandex connect there.

#9

You can also check out https://support.cloudflare.com/hc/en-us/articles/203041594

That article actually refers to what you mentioned earlier - custom certificates - but I am not sure how accurate that would be as SNI is SSL related rather than certificate related. But you could contact support and clarify with them if upgrading would get you a dedicated address where you don’t necessarily need SNI.

#10

According to Cloudflare help it is possible for Support activate the non-SNI support only if your site is on Pro, Business or Enterprise plan.

So talk to support there is no need to upload your own certificate but you have to contact support to enable the non-sni support, however if you are on a free plan then you are unable to support non-sni.

Read this article there you can see that it is possible only by contacting support:

In this case cloudflare will change your ssl certificate with SNI with one with SAN that is an alternative, but you have to be aware that you will share the certificate with other domains (on the subject name you will see not only you domain but also too many others that’s why Cloudflare changed the old certificates for sni.cloudflaressl.com or also you could issue a dedicated certificate if don’t want to share your certificate.

#11

Hi guys!
I hate when someone opens topic and than disappear without a solution, which helped, so i will not be such person ))
So, what helped me:

  1. order dedicated ip address from my hosting and apply it to my site
  2. place new ip to A- and www-settings at cloudflare DNS settings
  3. Temporary disable CDN for both (this will be needed to create correct certificate)
  4. Order certificate by hoster for dedicated ip
  5. When finished, turn on CDN again
    On this step i thought it is a win, but i needed to do one extra thing:
  6. Set SSL/TLS encryption mode is Off. If it is not disabled, cloudflare replace my certificate with their and nothing works as planned.
    And now all works good!
    Thanx all a lot, the information was very usefull! :slight_smile:
#13

Your site is currently not proxied, hence the encryption mode on Cloudflare is irrelevant as you are not going through Cloudflare in the first place.

Unproxying certainly is an option to avoid Cloudflare’s SNI requirement, however you essentially do not use Cloudflare at this point and have all request go directly to your server, which probably does not require SNI.

#14

Are you sure?
I did not disabled proxying, just disabled SSL/TLS encryption. But it seems that proxying does not work too ))
Anyway, $200 is to much for this site, so i will deal with cloudflare not working for me )

#15

Yes :wink:

You did.

Because you unproxied.

#16

This topic was automatically closed after 30 days. New replies are no longer allowed.