SSL 525 Handshake after enabling DNSSEC

Hi all,

Since enabling DNSSEC this morning our domain has been unresponsive for over 4 Hours. We’ve been getting a 525 SSL HANDSHAKE error and only when changing the SSL settings from Full to Flexible, the domain becomes accessible. Then again, this is with an unsafe warning and “TOO MANY REDIRECTS” on multiple clicks.

We are usually able to get out of any issue but this one is tough.

Thank you

What is your domain?

An SSL Handshake error indicates that the certificate on your server is not valid. It could just be a coincidence that it expired today when you enabled DNSSEC.

Please also pause Cloudflare so we can see where the problem lies:
https://developers.cloudflare.com/fundamentals/setup/manage-domains/pause-cloudflare/

You should not use either of these, but only Full (strict).

1 Like

Hi,

www.aestheticwolf.com is the domain.

One.com suggested to use Flexible for the time being, but that seems to put us in a redirect loop and more trouble, so I’ve put the setting back on Full. I have to say this was always the setting, not Full (strict), and has worked for over 6 months up until today.

I do believe that enabling DNSSEC was a coincidence as everything seems fine in that regard, also checked here: DNSSEC Debugger - www.aestheticwolf.com
Perhaps you can estimate if this can be related or not at all.

How can I check this server certificate, if I can at all? Spent 3 hours in chat with One.com and they mentioned we are not the only domain being impacted today by the SSL handshake error.

In the meantime our online store is seeing the most downtime in 4 years as we are now unreachable for over 6 hours. Trying to find a temporary solution perhaps as wel.

Kr,
Loic

To check whether the certificate on your website is working, you’d need to connect to the server directly.
Either by pausing Cloudflare or by using the IP.

If you pause Cloudflare or share the IP here, I can have a look.

Full works, but is insecure. Full (strict) is the only secure option.

Hi Laudian,

Server IP is 77.111.241.89.

We will change to Full (strict) but the focus now is to get our site accessible again. It’s now on Full.

I also just did a curl to www.aestheticwolf.com and it shows:

GET / HTTP/1.1
Host: www.aestheticwolf.com
User-Agent: curl/8.4.0
Accept: /

< HTTP/1.1 301 Moved Permanently

The server does currently not have a certificate:

 curl -svo /dev/null https://aestheticwolf.com --connect-to ::77.111.241.89
* Connecting to hostname: 77.111.241.89
*   Trying 77.111.241.89:443...
* Connected to (nil) (77.111.241.89) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0
openssl s_client -showcerts -servername aestheticwolf.com -connect 77.111.241.89:443 </dev/null
CONNECTED(00000003)
40075FB2A27F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Can you try installing one following this guide?

Hi,

I can definitely do this, but before I want to double check if this will be the correct route. I do see an origin certificate listed so unsure if this is necessary?


Also validated here: https://acme-check.com/?domain=aestheticwolf.com

Should i revoke and create a new one?

I wouldn’t revoke the old certificate unless you know for sure that it is not used.

The validation you do online does not see your server, but only Cloudflare’s edge certificate. The test doesn’t know your server’s actual IP.

Hi Laudian,

Our issue is looking very, very similar to this one: Expired SSL cert, one.com webhost - #3 by Mortyfar

One.com did actually suggest editing the CNAME for the _acme-challenge similar to the note above. It’s now propagating I think. I set it to DNS only in Cloudflare DNS.

Do you suggest waiting this out or doing further actions?

I wouldn’t recommend going that way - Cloudflare also uses the _acme-challenge name for their Edge certificate, and that CNAME record might be causing problems for you later on.

Does one.com not allow you to install a certificate like the Origin Certificate?

Their support is absolutely terrible. 14th in line for another chat window…

I’m not sure how their hosting works - do you have direct access to the apache config for your website?

If yes, then you should be able to manually set the certificate in your config file in the Virtualhost:

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

I only have access to the file manager for my WP installation and to DNS settings. I can add a TLSA record though.

What you’re suggesting is very unknown for me.

If they have no option to upload your own certificate, you’ll have to use their method with the CNAME record.

I don’t know what happens when Cloudflare tries to use the _acme-challenge record themselves though. I guess you’ll just have to see.

It really looks like a DNSSEC problem which we turned on this morning without knowing the impact.
Turning off now does not seem to undo any damage done.

Any experience?

I still think that’s a coincidence.

But the website seems to be up and running now, with a freshly created certificate.

Yes i think so too. I’ve finally gotten someone from One who stood by me and he confirmed he recreated the certificate (+ confirmed this: No, we don’t actually upload certificates on our servers; instead, these are generated automatically.) and had me put the CNAME record but also made me change DNS settings for the A records to DNS only instead of proxied.

Can you show where you see this certificate being fresh?

Adding on to this, I am not able to access yet from 1 of 2 laptops, probably due to the propagation taking place.

Hi,

We’re still unable to access, only from 1 source.

Can you show us what you see?

We are completely unable to access from different devices apart from 1. We keep seeing the SSL error so should I just wait or take further action?

www… uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Another indication is our shipping plugin being able to reach our Woocommerce but giving SSL error.