Sites all went down after changing NS to Cloudflare, what's wrong?

Share your inquiry details here
Apologies I thought these replies to support were also posting tot he Community.

A week ago on 6/3/2021 I moved 4 sites to Cloudflare NS as I had done with a handful of other sites.
This time all 4 returned an error for SSL Cipher Mismatch. Here is an example of the error message in Google Chrome (Version 91.0.4472.77 (Official Build) (64-bit)).


Unable to resolve this, after attempting to contact support at Cloudflare, I talked to my hosting company and the could only offer that I should move the NS back to their servers . By this time the 4 sites had been down for some hours, so I did that and after another hour propagation occurred and all 4 were up but without CDN.
I started getting questions and responses from support. But I am unfamiliar with the nuances of this so was unable to find a solution other than noticing that on the working sites vs the not working site (observed while one of them was still on CF’s NS) that if I Inspected the sites using the dev tools in Google Chrome, on the security tab that:
The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM. (working site)
VERSUS
The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.

So the only difference I see is the AES_128 vs the AES_256.

Last night 6/9/2021 after being prompted by Cloudflare support I moved another site back to CF Name Servers. It went down and I got the same error message. Later in the evening I checked it, and the site was up and I had an email from support that it is “resolved.” But I do not know how or what fixed the issue. When I go back into chrome I see that the certificate info is the same as the working sites I observed before. Also all of these that it references as TLS 1.3 even though the Edge Cert has them all at the default of TLS 1.0? The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.

Surely there is a better method than just rolling the dice, moving these sites, and seeing if they fail or not?
kpsl_error_security

Thanks.

The LaLey site loads for me, and it checks out in a global test as well:

Yes. I said it is up now. “Resolved” as it were. But I wanted to know how, so when I move the other 20 sites I don’t have to go through this.

Later in the evening I checked it, and the site was up and I had an email from support that it is “resolved.” But I do not know how or what fixed the issue.

The best I’ve seen is to ensure your site is active with ssl in place before moving it to cloudflare. That sets you up for success.

I suspect it was quick fix 6 in this tip

2 Likes

Actually all of my sites have SSL upon creation. There was never a problem until I moved the NS to Cloudflare.
Wait 24hrs? Really just have the site down for an entire day and “see” if that fixed it? In no way would I consider that a “quick” fix. These are websites that the advertisers call the president if their banner is the wrong shade of cornflower blue. I can only imagine if I let them be down for a day (or more) “just to see” if the problem resolved on its own. Much as I would love to take this path or least resistance…I’ve got 5 sites I’ve moved to CF without incidence, 4 that failed. 1 of those has since been moved successfully. All hosted at the same place. All with valid SSL. All running the same WP version.

EDIT. I just did the ElGallito.com move from [hosting co] to Cloudflare NS. It’s down now. Fingers crossed it is up in the morning.

12 hours ago I moved https://radiolobo.com back to Cloudflare NS. It’s been down the entire time. 60 hrs in and still no resolution of the original problem.

That’s certainly frustrating. I see it’s proxied…and not working. Did you try Step 2: From the SSL/TLS page → Edge Certificates, scroll to bottom and Disable Universal SSL. Then wait 15 minutes, then re-enable it.

If that doesn’t work, and you don’t mind a $10 experiment (though you shouldn’t have to spend $10 to fix this problem), try ordering an Advanced Certificate at the top of that page. See if that can get you a certificate that works. And while that’s active, try cycling through Disable/Enable Universal SSL again. Yes, that’s a pain, but it may provide some clues as to what the problem is.

1 Like

I did not. I’m on the @cloonan train now. :star_struck: It’s 10 AM now and the site came up on its own. The only thing I did was unclicking enabling TLS 1.3. Not sure if that did anything, it certainly did not immediately or within an hour of doing so. I’m going to guess it’s just going to go this way. Onto Q921radio.com Let’s see what happens? Up right now on [hosting co]'s Name Servers. Let’s see how Cloudflare does…
EDIT:

Update Update

https://q921radio.com/ is back up. So, less than 2.5 hrs down on this one.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.