I have a website running on Cloudflare using full SSL with a dedicated SSL (not one I’ve uploaded.) HTTPS is currently not being forced (although it was, and we are seeing no difference when that setting is changed), and HSTS is not enabled. Our minimum TLS setting is 1.0, and we do have TLS 1.3 enabled. I have universal SSL disabled as well.
We are seeing an issue from our iOS users on chrome and safari (so it does not appear to be browser related) where the website cannot be reached. Safari users see the browser “working” for a few seconds, then absolutely nothing happens. Chrome users do end up seeing a “site cannot be reached” error message. This issue is only happening when the website is being viewed over https. http works perfectly fine.
I should note the issue does not occur on any desktops, including macs. It does not happen on android phones in any browser. The issue is only recreatable on iOS (iphones) over an ssl connection.
We currently have the website bypassing Cloudflare (and using our origin ssl, I have confirmed), and the site is loading with no issues. I have a subdomain test.* going through Cloudflare still, and none of the users on iOS can load that.
Has anyone seen this issue?
I should note: we had another domain that seemed to have this issue, but it was remedied by removing the AAAA records. That has not fixed the issue for this website.
ANY, at all. We have desktop windows users running chrome and firefox, no issues. Apple imac users running Safari with no issues, android users with no issues, only iphone users.
Our iphone user is still seeing issues with https://test.skylon.com. On chrome she gets the error “ERR_FAILED”. I have confirmed using the Qualys SSL test that 1.3 is disabled.
So it should not be a general connectivity issue. Also, TLS is on 1.2 and not 1.3.
As you mentioned IPv6, you mentioned originally there were some IPv6 issue and you had these records removed. However that connection was via IPv6 and such records also show up for your host. I wouldnt expect it to be the issue, but if you said it fixed it before you might want to try again.
The AAAA records are automatically assigned (along the standard A records) when you proxy through Cloudflare. Proxied sites are reachable via IPv6 even when the origin does not support IPv6.
You’d need to disable IPv6 on Cloudflare’s side to remove these. Though that requires a call via the API as Cloudflare does not offer the ability to disable it via the UI.
Still seeing the issue, but I am thinking the user might need time for the TTL to die on that record, so I will leave it for a bit. Thank you for all your help, and I’ll update if it works or not.
Though the entire issue seems a bit weird. The original error message would leave the impression Cloudflare cant be reached at all, otherwise there should be at least a Cloudflare error. However the trace page does show the request goes through.
Unless iOS’ Safari (and yes, Chrome is just a Safari shell on iOS) does some error hiding (like IE used to do for some errors).
Plain http works as intended everywhere. Site loading perfectly. My co-worker is on lunch, but I am going to have her test the https://test.* again once she’s back.
Question - do the issues with iOS device happen only on the mobile network or on wifi as well? If only mobile, only Rogers or other operators, too?
Suggestion - As you trouble shoot this with your colleague, on the Network tab, turn off HTTP/2?
