Secure Connection Failed after switching to Cloudfare DNS

  • I have an AWS setup that has an EC2 VM behind a AWS application load balancer. The SSL certs for this is generated in AWS.
  • This setup was working perfectly fine when accessing https://subdomain.mysite.com
  • I recently (yesterday) switched my DNS from AWS to Cloudfare for some optimizations (jaziel.ns.cloudflare.com, kami.ns.cloudflare.com)
  • Now when I try to access https://subdomain.mysite.com I get the following error: "Secure Connection - Error code: SSL_ERROR_NO_CYPHER_OVERLAP"
  • I have proxied all DNS records through Cloudfare, I have done nothing else in Cloudfare (as I just created the account). So I’m a bit confused as to how something is broken

I understand there might be some SSL weirdness between AWS and Cloudfare?

When I try to access a

That’s Cloudflare’s SSL that’s not working for that subdomain. Are you sure it’s just subdomain.example.com, and not www.subdomain.example.com?

Here’s more info on that error:

1 Like

Thanks for the fast reply @sdayman.

  1. I can’t seem to find the Universal TLS button under the SSL/TLS section
  2. The advice of essentially “turn it off and turn it back on again” - my question here would be, what is supposed to happen in the time between be turning Cloudfare off on my site, then re-enabling it?

Finally, I don’t wanna imply I haven’t read the other articles. I’ve done some digging on this. I guess my issue is that I haven’t seen answers explaining why this could happen.

  • Is this because my Cloudfare account is so new that TLS hasn’t been set up?
  • Does this require me to manually create some TLS certs in Cloudfare?
  • Is the fact that I can’t see the Universal TLS setting some indication that my account isn’t yet setup?

Super excited to finally use Cloudfare :slight_smile:

It’s at the bottom of the Edge Certificates section.

Good question. That would interfere with SSL on other hostnames. I’d hate to ask you to throw some money at the problem, but if you use Advanced Certificate Manager, it would put a cert in place to handle everything.

Back to the original issue: You didn’t mention if it’s ‘www’ in front of the subdomain. What you should already have at Cloudflare is a certificate that covers example.com and *.example.com. And the * one should cover that subdomain. You would see the cert if you visit your main site if it’s :orange: Proxied by Cloudflare.

If you want specific suggestions for your domain, please post the complete subdomain hostname.

1 Like

The specific domain is app.staging.dmnsn.io – I currently have Cloudfare disabled, but let me know if I should reenable it (as well as reenable Universal TLS) for debug purposes

No, but now I see the problem. I wasn’t specific enough when I asked it there was a ‘www’ in front. anything in front of a subdomain won’t match the certificate, as I just outlined in my wildcard comment above.

@sdayman Ahh bingo!

I’m ok with the fact that deep subdomains require extra effort. I can just turn off the Cloudfare proxy for those. Confirming that onelevelsubdomain.mydomain.com shows a Cloudfare TLS cert.

Thanks so much @sdayman for the quick responses, detail answers, and supporting links :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.