I am not able to install an SSL Certificate on my Plesk Server

What is the name of the domain?

meinlautern.de

What is the error message?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What is the issue you’re encountering

Cloudlfare SSL certificate does not work

What steps have you taken to resolve the issue?

Proxied and unproxied DNS records
Pausing cloudlflare for 24h
Disable Universal SSL for a couple of hours
Full and Full (strict)
Enabled DNSSEC

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Generating an SSL Certificate in cloudlfare and uploading it into Plesk, Plesk shows it as not securing the website.
ssllabs shows “Failed to communicate with the secure server” even when I can ping the URL and get back an cloudlfare IPv4 and IPv6 for the domain.

Screenshot of the error

Was it re-generated again or not? :thinking:

How about Full (Strict)? :thinking:

What SSL settings have you got selected under the SSL/TLS tab of Cloudflare dashboard for your domain name? :thinking:

Before moving to Cloudflare, was your Website working over HTTPS connection?

You could determine if this behaviour continues even by using a “Pause” option at Cloudflare as follows from below? :thinking:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and manually click to renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Make sure Always Use HTTPS and Automatic HTTPS Rewrites features are enabled at Cloudflare.

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

If you have generated the CSR, try the following steps

  1. Start by logging into Parallels Plesk Panel.

  2. Once you are logged in, select the ‘Websites & Domains‘ tab located in the top navigation menu.

  3. Look for the ‘SSL Certificate‘ link and click on it.

  4. Next, you will need to click ‘Manage’ next to the domain name that the SSL certificate is for.

  5. Click on Add SSL Certificate

Still can’t able to install then look at this article: https://certera.com/kb/how-to-install-ssl-certificate-on-plesk/

Hi, first of all thanks a lot for the reply and trying to help. Really appreciate that!

Answering your questions:

  1. Yes, if I disable and reenable Universal SSL, I get a new certificate from Google Trust Services, valid for 3 month (pending validation) which works and makes the connection secure.

  2. I tried both, Full and Full (Strict)

For context: I am running some domains with IPv6 only, and therefore I like to use cloudlflare DNS with proxy, to get a valid public IPv4 address. Especially with nextcloud, there are some problems, if you setup a domain only with IPv6. Nextcloud backend does not download Apps and also the update server is not reachable, while only on IPv6.

Non proxied cloudflare works fine, even with letsencrypt, It renews the certificates after 3 month, with the help of a DNS NS entry with _acme-challenge. The plesk generated letsencrypt value then can be auto-transfered from plesk via the cloudflare plesk extension and the letsencrypt certificate does its job as it should. So the side worked before switching to cloudflare and even runs with cloudflares universal ssl, even letsencrypt works!

My only problem is using the Origin Certificate Certificate for all my webtraffic. E-Mail traffic should be still secured with Letsencrypt, so both should run side by side für web (origin) and mail (letsencrypt).

I followed the steps from this guide, generating an SSL certificate and putting it into plesk.

I am pretty sure I did not mess up there and copied all the right certs and keys to its needed positions! For example, when I turn DNS proxy off, I also see, that the cloudflare origin certificate will be loaded, of course then it is unsecure and not valid.

But Plesk does not show me a green icon, that the certificate is activated. Probably for the same reason, the website gets the ERR_SSL_VERSION_OR_CIPHER_MISMATCH in return from Browser if proxy is turned on.

Here are my SSL/TLS Settings:


Also in Plesk, HTTP is redirected to HTTPS.

Would be great, to get the Origin Certificate running!

Thanks for the hint with the CSR. Is this the way to install an origin cloudflare certificate?
I missed that, because it was not mentioned the way in the manual mentioned above, I found for plesk.

So I think I am one step further now if so!

I tried to use the CSR Option and generarted the origin cloudflare certificate with that.

For ordering the CSR in Plesk, I used an asterisc *.xxx.xy in front of the domainname.
Then I created the certificate in cloudflare and importet it back in plesk.

Now I see at least that the site is marked as protected in Plesk.

Question: the domain without www. in front is still shown as unprotected!
How can I get rid of that? Do I need to sign another certificate for the plain domainname?

And do I need to add the CA certifikate in Plesk? *-ca.crt

Uploading the Cloudlfare origin_ca_rsa_root.pem fails!

I guess the certificate might work now, after pausing cloudflare for 24h, right?

And one other question, if I use Cloudflare Origin Certificate, should Universal SSL then be disabled? Event when I’d like to secure my e-mails via Letsencrypt?

It is really frustrating. Again I pause cloudflare for 24h, this time for another domain.
I created and uploaded an Origin Server Certificate, put it i to plesk, shown as green there and should be capable to protect the domain with DNS proxies (E-Mail still protected via Letsencrypt and non proxy DNS entry).

But again ERR_SSL_VERSION_OR_CIPHER_MISMATCH

My settings:

In cloudflare Universal SSL is disabled, as I do not want to get a google certificate instead of the 15 year long Cloudflare Origin Server Certificate.

  • I tried Full and Full (strict) SSL setting

  • DNSSEC is disabled in cloudflare, no DNSKEY is set for the Domain at all.

  • Also enabled is Always Use HTTPS and Automatic HTTPS Rewrites, TLS 1.3, Minimum TLS Version 1.0

  • HSTS not enabled

As said, really frustrating and I really like to find the culprit and a solution but not sure what to try else.

What am I missing?

And by the way, I am running Plesk on Debian 12 with TLSv1.2 TLSv1.3.
Bildschirmfoto 2024-11-09 um 07.52.11

Is self-signed, therefrom not trusted in Web browsers.

Plesk may require you to put both cloudflare origin ca root and your generated intermediated origin ca certificate together as single file, known as “bundle” sometimes or “full chain” in some terms.

Therefrom, once proxied :orange: and with Cloudflare Origin CA certificate at your server, it’s a trusted connection and valid only between Cloudflare and origin host, and not public, therefrom the same origin ca certificate cannot be used for emails since it only works for HTTP(S) traffic.

I haven’t used Plesk so much yet.

Once you’re using the “self-signed” cloudflare origin ca certificate and proxied, the Full (Strict) should work.

Cloudflare Universal SSL certificate is valid for 3 months and get’s renewed.
This is the “lock” green icon in Web browser for all of your Website visitors, including you, and it’s a trusted one.

Make sure to create A mail DNS record, make it unproxied :grey: (DNS-only) and then you’d be able to renew your Let’s Encrypt SSL certificate from the server to cover mail.hostname.com to make sure your email do work while you’re using proxied :orange: and other benefits from Cloudflare for your domain.

Otherwise, to get the best possible experience and security in place:

  1. Make sure all DNS records are temporarly unproxied :grey: (DNS-only).
  2. Leave it for some time, e.g. 15min
  3. In Plesk or at server, using Acme.sh, Certbot, Plesk SSL, or some other way, generate the SSL certificate which covers your main domain and all the other sub-domains
  4. Once finished, make sure your Web server responds and Website work over HTTPS and over desired HTTPS port such as 443 without any error
  5. Double-check your server firewall and allowlist Cloudflare IPs
  6. Once done, switch back the :orange: proxy the DNS records
  7. Make sure under the SSL/TLS tab your SSL settings are set to Full (Strict)
  8. Double-check and enable Universal SSL at Cloudflare if you’ve disabled it

Related articles:

Lets summarize my problem again with my example domain. I get your points, but as I can see, I did nothing else, as you mentioned it!

The Domain, setup via plesk is working fine and with full SSL with Letsencrypt and/or Cloudflares Universal SSL.

It is not, with Origin Server Certificate!

Look at my settings:

First see, the domain is paused in cloudflare for more then 24h:

Domain is setup to full strict!

As you can see, when loading the website, the cloudflare certificate shows up as it should, but it does not protect the site, cause it is paused and therefore proxy is off.



These are my settings. No Universal SSL is present, as it should use the Origin Cert! Universal SSL is disabled:

In Plesk you see, that the Cloudflare Certificate seems to be valid and should protect all web traffic. E-Mail is still secured by Letsencrypt.



As soon as I enable cloudlfare again, I get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH, no change!

I really dont get it. Where is the error? I simply do not get it and if I am the one who messes things up.

1 Like

A silly question:

What do I have to expect, when I use the Origin Cloudlfare Certificate with proxy mode on at my DNS entries?

Should the browser present me a Cloudflare Certificate, valid for 15 years or is a Certificate prensented, valid for 3 month and the 15 years period means, that this will issued and autorenewed for 15 years?

Maybe there is my fault, as I expected a Cloudflare Certificate shown in my browser, when DNS is proxied.

So is something like this right, and means, that the Origin Certificate is working?

If so, just to clarify. Then what is the difference between an Universal Edge and Origin Certificate from a security point of view?
Does this mean, also the Universal SSL will get an autorenew after 3 month, and there is nothing to do and change on my plesk server or like clicking an email to accept the renewing?

I’d like to get this as an automated process without any e-mail confirmation, etc.

Maybe I was expecting something completely wrong.

1 Like

When checking online, or via your Web browser :lock:, you’d see either Let’s Encrypt, or Google Trusted Services or SSL.com certificate valid for 3 months:

That’s the Cloudflare’s UniversL SSL certificate, covering main domain and 1st-level sub-domains when your DNS records are proxied :orange: .

On the below article you can find the CA’s being used from Cloudflare to have it:

Nevertheless, the connection between Cloudflare and you (Website visitor) is now secured with a valid SSL certificate.
While your Plesk server is using Origin CA Certificate to comminucate with Cloudflare proxy, as self-signed 15 years certificate, not valid and not trusted in Web browsers when DNS records are unproxied :grey: (DNS-only) when you visit your Website:

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.

Yes! Bravo! :+1:

Thanks a lot for your help and guiding me thru my brainfog!

1 Like

I am happy to assist you! :hugs:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.