My Universal Certificate is still not active after 24hrs

Hi guys,

I was wondering if you could help please.

My Universal certificate is still not active after 24hrs and my website is getting the below message:

’ This site can’t provide a secure connection

domain name uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Hide details

Unsupported protocol

The client and server don’t support a common SSL protocol version or cipher suite. ’

Could you please advise and guide me on what I need to do in order to get my website working again and secure…?

Looking forward to hearing from you guys soon please.

Thank you.

Assuming Universal SSL is enabled and you are active on our nameservers, check the following:

1. The DNS record you receive the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error on is proxied in our DNS panel
2. Enter your domain into letsdebug.net to see if there are any issues that might block a Certificate Authority (CA) from issuing SSL for your domain
3. Fix any issues in 2 and then Disable Universal SSL, wait 5 minutes and re-enable again

Hi Simon,

Thank you for your reply, much appreciated.

I done part 2 and I received the following error reports below:

DNSLookupFailed

FATAL

A fatal issue occurred during the DNS lookup process for prime-whale.com/CAA.

DNS response for prime-whale.com had fatal DNSSEC issues: validation failure <prime-whale.com. CAA IN>: No DNSKEY record from 162.159.38.217 for key prime-whale com. while building chain of trust

DNSLookupFailed

FATAL

A fatal issue occurred during the DNS lookup process for prime-whale.com/A.

DNS response for prime-whale.com had fatal DNSSEC issues: validation failure <prime-whale.com. A IN>: No DNSKEY record from 2803:f800:50::6ca2:c2d9 for key prime-whale com. while building chain of trust

DNSLookupFailed

FATAL

A fatal issue occurred during the DNS lookup process for prime-whale.com/AAAA.

DNS response for prime-whale.com had fatal DNSSEC issues: validation failure <prime-whale.com. AAAA IN>: No DNSKEY record from 108.162.194.217 for key prime-whale.com. while building chain of trust

NoRecords

FATAL

No valid A or AAAA records could be ultimately resolved for prime-whale.com. This means that Let’s Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.

No A or AAAA records found.

Could you please advise of what may be the issue please…?

Shall I send you a screenshot of the DNS panel too…?

So the likely reason your cert hasn’t issues is because your DNSSEC configuration at your registrar is broken, follow the advice here:

Once you fix that, the SSL cert should issue.

Thank you Simon, much appreciated.

I have done this and the certificate is still not issuing. I also ran letsdebug again and received these results, could you please advise…?

CloudflareCDN

WARNING

The domain prime-whale.com is being served through Cloudflare CDN. Any Let’s Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option ‘Full SSL (strict)’ be enabled.

https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

CloudflareSSLNotProvisioned

WARNING

The domain prime-whale.com is being served through Cloudflare CDN and a certificate has not yet been provisioned yet by Cloudflare.

https://support.cloudflare.com/hc/en-us/articles/203045244-How-long-does-it-take-for-Cloudflare-s-SSL-to-activate-

MultipleIPAddressDiscrepancy

WARNING

prime-whale.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.

[Address=2606:4700:3035::ac43:9eab,Address Type=IPv6,Server=Cloudflare,HTTP Status=200] vs [Address=104.21.90.174,Address Type=IPv4,Server=Cloudflare,HTTP Status=404]

MultipleIPAddressDiscrepancy

WARNING

prime-whale.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.

[Address=2606:4700:3035::ac43:9eab,Address Type=IPv6,Server=Cloudflare,HTTP Status=200] vs [Address=172.67.158.171,Address Type=IPv4,Server=Cloudflare,HTTP Status=404]

Could you please advise further…?

Thank you.

Your order is probably scheduled to be checked again in a few hours (if your domain fails, we slow down how often we check, progressively).

What you can do is Disable Universal SSL, wait 5 minutes and then re-enable it.

I have disabled and reenabled it after 5 minutes, hopefully now it will validate quickly or will it take 24hrs…?

Thank you.

Okay the certificate is active and all is working well, thank you very much Simon.

Glad things are working - thanks for letting us know!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.