SSL 525 Handshake after enabling DNSSEC

Referring to this article: Fix VERSION_OR_CIPHER_MISMATCH · Cloudflare SSL/TLS docs

Should i deactivate the edge certificate in Cloudflare since we do not proxy the A records?

Your site is no longer proxied by Cloudflare, so the settings in Cloudflare do not matter.

If your devices still try to connect to Cloudflare, all you can do is wait until cache expires.

After 2 hours only found 2 person able to acces. 1 Chrome and 1 Safari mobile. This does not look to get solved automatically.

What should I do about the error above?

It seems that you have a 2nd DNS record (AAAA) with a wrong server IP that you had not told me about earlier:
2a02:2350:5:102:80cb:fd0a:ded8:a9ff

You need to delete that record.

According to One support they are theirs. I see via SSL Checker that they are indeed not being resolved.
Please check the entire DNS setup in my screenshot below before confirming I should delete all 3?

They also suggested adding CNAME record:
Hostname: www Value: [aestheticwolf.com.www.service.one.com]
But that goes into error because we have an A Record with value www

Yes, delete all 3.

If your server should be available under that IP, that’s something the one.com support needs to fix. Right now, your website isn’t available on that IP address, neither via HTTP nor HTTPS.

curl -svo /dev/null http://aestheticwolf.com
*   Trying 2a02:2350:5:102:80cb:fd0a:ded8:a9ff:80...
* Connected to aestheticwolf.com (2a02:2350:5:102:80cb:fd0a:ded8:a9ff) port 80 (#0)
> GET / HTTP/1.1
> Host: aestheticwolf.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Wed, 13 Mar 2024 18:23:37 GMT
< Server: Apache
< Content-Length: 196
< Content-Type: text/html; charset=iso-8859-1
< X-Varnish: 10867814017
< Age: 0
< Via: 1.1 webcache2 (Varnish/trunk)
< Connection: keep-alive
<
{ [196 bytes data]
* Connection #0 to host aestheticwolf.com left intact

You can see that it’s not just a missing certificate but simply a 404 error if I request your site from that IP.

Hi,

The site immediately resolved after adding the CNAME they suggested and deleting the www A records. I then also deleted the 2 remaining AAAA records as you suggested.

You can check our site if you wish.

What a mess one is making. I understand we must go back to the proxied setup but I will keep settings as-is for now. I will test the proxy setup over the weekend.

Thank you so much for the help and support.

1 Like

We’re noticing a new error now when clicking through pages on frontend and backend, also button submits etc.

The web page at might be temporarily down or it may have moved permanently to a new web address.

ERR_HTTP2_PROTOCOL_ERROR

Hi! Here I am again.

Ultimately decided to change the DNS settings back to proxy since i saw multiple things going wrong (links, images, performance,…) and this seems to work at a very first glance …

Also re-added the ipv6 AAAA addresses because they are now getting resolved. Can you check the DNS settings for us once more?

Do you know why we get a 301 Moved Permanently on http://aes… but 200 on https://www.aes…/?

Thank you.

We also started to encounter the SSL handshake fail problem and this is not a coincidence.

1 Like

Hi Loic,

I have the same error as you, and i’m also a client at one.com. My error started before I enabled the de DNSSEC.

1 Like

Hi,

Were you able to solve it by adding the 2 CNAME records?
I think it’s a general new issue but of cours ONE will not admit that.

Good luck.

Hi Thx for the reply.
One.com solved my problem by renewing my SSL certificaat on there end.

Met vriendelijke groet

Paul Bartelings
(+31) 0631644596 [email protected]
www.bartelings.me
Drie Morgenland 17, 3863ZG Nijkerk.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.