I have an AWS setup that has an EC2 VM behind a AWS application load balancer. The SSL certs for this is generated in AWS.
This setup was working perfectly fine when accessing
I recently (yesterday) switched my DNS from AWS to Cloudfare for some optimizations (
Now when I try to access
https://subdomain.mysite.com I get the following error:
"Secure Connection - Error code: SSL_ERROR_NO_CYPHER_OVERLAP"
I have proxied all DNS records through Cloudfare, I have done nothing else in Cloudfare (as I just created the account). So I’m a bit confused as to how something is broken
I understand there might be some SSL weirdness between AWS and Cloudfare?
When I try to access a
That’s Cloudflare’s SSL that’s not working for that subdomain. Are you sure it’s just
Here’s more info on that error:
Try the suggestions in this Community Tip to help you fix SSL ERROR NO CYPHER OVERLAP in Mozilla.
A website using HTTPS performs a series of steps between the browser and the web server to ensure the certificate and SSL/TLS connection is valid. These include a TLS handshake, the certificate being checked against the certificate authority, and decryption of the certificate. If Mozilla detects an issue, it might display “SSL_ERROR_NO_CYPHER_OVERLAP” which prevents access to the…
Thanks for the fast reply
I can’t seem to find the Universal TLS button under the SSL/TLS section
The advice of essentially “turn it off and turn it back on again” - my question here would be, what is supposed to happen in the time between be turning Cloudfare off on my site, then re-enabling it?
Finally, I don’t wanna imply I haven’t read the other articles. I’ve done some digging on this. I guess my issue is that I haven’t seen answers explaining why this could happen.
Is this because my Cloudfare account is so new that TLS hasn’t been set up?
Does this require me to manually create some TLS certs in Cloudfare?
Is the fact that I can’t see the Universal TLS setting some indication that my account isn’t yet setup?
Super excited to finally use Cloudfare
It’s at the bottom of the Edge Certificates section.
Good question. That would interfere with SSL on other hostnames. I’d hate to ask you to throw some money at the problem, but if you use Advanced Certificate Manager, it would put a cert in place to handle everything.
Back to the original issue: You didn’t mention if it’s ‘www’ in front of the subdomain. What you
should already have at Cloudflare is a certificate that covers
*.example.com. And the * one should cover that subdomain. You would see the cert if you visit your main site
if it’s Proxied by Cloudflare.
If you want specific suggestions for your domain, please post the complete subdomain hostname.
The specific domain is
app.staging.dmnsn.io – I currently have Cloudfare disabled, but let me know if I should reenable it (as well as reenable Universal TLS) for debug purposes
is the latter required?
No, but now I see the problem. I wasn’t specific enough when I asked it there was a ‘www’ in front.
anything in front of a subdomain won’t match the certificate, as I just outlined in my wildcard comment above.
This tutorial covers a possible reason for the SSL_ERROR_NO_CYPHER_OVERLAP and ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors (Firefox and Chrome respectively) when seen on a subdomain.
The Cloudflare universal certificates cover example.com and *.example.com. This means that it covers any subdomain one level below the domain you signed up with.
It will cover www.example.com and subdomain.example.com, as these are one level below the root domain, example.com.
The certificate will not cover www.sub…
@sdayman Ahh bingo!
I’m ok with the fact that deep subdomains require extra effort. I can just turn off the Cloudfare proxy for those. Confirming that
onelevelsubdomain.mydomain.com shows a Cloudfare TLS cert.
Thanks so much
@sdayman for the quick responses, detail answers, and supporting links
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.