I'm getting CIPHER_MISMATCH on one of identical domains

Hi all,

I have a strange behaviour.
I have a domain, where I had SSL certificate installed just before switching to CF.
The certificate was issued with use of Letsencrypt and it is still valid for almost 3 months for the domain itself, as well as domain with www prefix.

And now comes the magic:

And I don’t even get the 525 SSL error - what I get is just internal Chrome message (I translated it to english, don’t know how it exactly sounds in english Chrome):

This website does not provide safe connection
Server www.domain.com is using unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

That’s all.
Just to be clear:

  • both addressess are on the same IP address
  • both addressess are using exactly the same SSL certificate (in fact, it is a single nginx vhost entry)
  • in CloudFlare DNS settings, both domain and www.domain have the same IP address set.

No matter how I configure Cloudflare SSL connection (flexible, full, strict) - nothing changes.
The only way to get www.domain.com working is by disabling CF Proxy - what is definitely not what I would want.

Any ideas? Or should I do something insane, like removing this domain from my account and set it up again?

Greetings,

Jacek

That error is because Cloudflare hasn’t provisioned a certificate for that hostname.

See what’s currently listed, and you may have to go to the bottom of that page to disable Universal SSL for a few minutes, then re-enable it to re-provision the cert.

I don’t understand… I disabled Universal SSL for quite a while, then reenabled it… and still the same.
Checking domain.com - works perfect, but when I try one with “www” prefix - still fails.
Shall I remove the domain and add it again, or what?

gnutls-cli also fails to connect:

MacBook-Air-Jacek-2:certyfikaty jacek$ gnutls-cli www.ankieter.vrgstrategia.pl
Processed 164 CA certificate(s).
Resolving ‘www.ankieter.vrgstrategia.pl:443’…
Connecting to ‘104.21.52.185:443’…
*** Fatal error: Odebrano krytyczny alarm TLS.
*** Received alert [40]: Nawiazanie komunikacji nie powiodlo sie

Here’s the full tip on the subject:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.