SSL behaving quite strange

Hello, I have a fairly interesting problem, that I think no one ever had.
I am struggling with SSL on my Apache website.

<VirtualHost *:80>

    ServerAdmin [email protected]
    ServerName socials.sk
    ServerAlias www.socials.sk
    DocumentRoot /var/www/socials.sk
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =socials.sk [OR]
    RewriteCond %{SERVER_NAME} =www.socials.sk
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost *:443>

    ServerAdmin [email protected]
    ServerName socials.sk
    ServerAlias www.socials.sk
    DocumentRoot /var/www/socials.sk
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/cloudflare/socials.sk.pem
    SSLCertificateKeyFile /etc/cloudflare/socials.sk.key

</VirtualHost>

although it still says ERR_SSL_VERSION_OR_CIPHER_MISMATCH

the SSL is set to Full, the certificate is issued correctly, the orange cloud is turn on (proxied). I am really desperate now…

There indeed is something wrong with your SSL setup:

$ openssl s_client -connect socials.sk:443
CONNECTED(00000003)
140493201290432:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 302 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Would you mind, setting your SSL mode at Cloudflare to “None”, wait 5 min and then turn it to “Full (Strict)”?
Pls tell us when you’re done.

Also, I don’t think your Apache is responsible for this, but something went wrong at Cloudflare or your configuration there. Cloudflare seems not to have any SSL Cert for your domain.


like, it’s here, but still nothing.
I only know that Let’s Encrypt does work when it was on that domain, but the Cloudflare did not.
also, I issued the certificate only today about 2 hours ago…

Please do what was requested. The origin SSL cert does not have anything to do with this request:

The SSL Mode you can change here: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls

  1. Set it to “Off (not secure)
  2. wait 5 min (website will not work during these 5 min)
  3. set to “Full (Strict)
  4. report back

i’ve done it already…

Hm then this probably gonna be a ticket.

I just see this on my end:

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

All SSL/TLS Protocols are disabled.

Please write an email so support [at] cloudflare [dot] com and once you get a #ticketID share it with us.

#2450135

Done it, hopefully it will help

Might you quickly send me a screenshot of this section in your dashboard?

Thanks, I have escalated this internally, please wait until support is reaching out to you.

A MPV friend @eva2000 suggested to check if you have disabled “Universal SSL” under this section: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates at the bottom?

Could you pls check this and send a screenshot of this section?

EDIT:

seems like he was right :slight_smile:

1 Like

I did, because it was still prefering Let’s enrypt.

But then you cant proxy the DNS and not provide any other SSL Cert at Cloudflare. If you force Cloudflare to disable it’s universal SSL and set it to SSL it will disable it. Pls do not change this setting, unless you are unproxied :grey:

1 Like

when i enable the setting, this shows up

Something went wrong there. Wait untill it validated.

Also, please install a valid SSL Cert at your origin or a origin SSL Cert from Cloudflare and set your SSL Mode to “Full (Strict)”. Thanks.

1 Like

if origin is meant that web server, I’ve already done it. the let’s encrypt thing on the picture was there before I issued a new Cloudflare cert.

btw, thanks for helping :slight_smile:

1 Like

Perfect, then the switch to “Full (Strict)” should work flawlessly:

Encrypted version of your site still does not work, btw but the unencrypted version is. I don’t know what else settings you changed, but just turn all good stuff with SSL on and wait untill Lets Encrypt validated, then it should work again.

Thanks to @eva2000 - honor where honor is due :slight_smile:

1 Like

possibly it could have something to do with server-side things. although that is a problem for later… :smiley:

No, your server is first place does not have anything to do with the connection to Cloudflare. After the connection to Cloudflare is established, then the connection from Cloudflare to your server comes into play.

EDIT:

encrypted version now works aswell
image

Yes!
Thanks for your help, and for the help of your friend, I am really glad it now works :slight_smile:

1 Like

And don’t forget to switch to “Full (Strict)” or @sandro will come for you :smiley:

Have a good day!

1 Like