SSL causing website to not load at all

Hi all,

I have a website running on Cloudflare using full SSL with a dedicated SSL (not one I’ve uploaded.) HTTPS is currently not being forced (although it was, and we are seeing no difference when that setting is changed), and HSTS is not enabled. Our minimum TLS setting is 1.0, and we do have TLS 1.3 enabled. I have universal SSL disabled as well.

We are seeing an issue from our iOS users on chrome and safari (so it does not appear to be browser related) where the website cannot be reached. Safari users see the browser “working” for a few seconds, then absolutely nothing happens. Chrome users do end up seeing a “site cannot be reached” error message. This issue is only happening when the website is being viewed over https. http works perfectly fine.

I should note the issue does not occur on any desktops, including macs. It does not happen on android phones in any browser. The issue is only recreatable on iOS (iphones) over an ssl connection.

We currently have the website bypassing Cloudflare (and using our origin ssl, I have confirmed), and the site is loading with no issues. I have a subdomain test.* going through Cloudflare still, and none of the users on iOS can load that.

Has anyone seen this issue?

I should note: we had another domain that seemed to have this issue, but it was remedied by removing the AAAA records. That has not fixed the issue for this website.

Thanks in advance.

Apple only or any?

Does it still occur when you disable TLS 1.3?

ANY, at all. We have desktop windows users running chrome and firefox, no issues. Apple imac users running Safari with no issues, android users with no issues, only iphone users.

I am disabling 1.3 now to test.

Can you post the URL? is going through our server with our origin SSL. is going through Cloudflare with the dedicated SSL.

I have disabled 1.3 and getting one of our users to test on iphone.

Our iphone user is still seeing issues with On chrome she gets the error “ERR_FAILED”. I have confirmed using the Qualys SSL test that 1.3 is disabled.

Yep, both sites are viewable on desktops. But https://test.* is not viewable on an iOS phone.

Sorry, I misread your original posting and had to read that bit again. I thought it wouldnt show on desktops either. My mistake.

So only iOS is the issue. Desktops and Android work. Could you post a screenshot of the failed request on iOS?

This is the screenshot from her phone. She is going to https://, I did confirm with her.

I guess wont work either, right?

Does plain HTTP work?

She was surprisingly able to visit that, and actually got a response.

I noted that the ip came up as ipv6, but on my phone I can access it and I also show an ipv6 address.

So it should not be a general connectivity issue. Also, TLS is on 1.2 and not 1.3.

As you mentioned IPv6, you mentioned originally there were some IPv6 issue and you had these records removed. However that connection was via IPv6 and such records also show up for your host. I wouldnt expect it to be the issue, but if you said it fixed it before you might want to try again.

Okay so… and have no AAAA records, and are the ones we have no issues with. has an AAAA record. How?! There are absolutely no AAAA records in my CF account, only A:

;; A Records (IPv4 addresses) 1 IN A 1 IN A 1 IN A

The only other records are MX, TXT, and CNAME.

The AAAA records are automatically assigned (along the standard A records) when you proxy through Cloudflare. Proxied sites are reachable via IPv6 even when the origin does not support IPv6.

You’d need to disable IPv6 on Cloudflare’s side to remove these. Though that requires a call via the API as Cloudflare does not offer the ability to disable it via the UI.

1 Like

Okay, cool. That’s done, and I verified the response from the API:


Still seeing the issue, but I am thinking the user might need time for the TTL to die on that record, so I will leave it for a bit. Thank you for all your help, and I’ll update if it works or not.

Though the entire issue seems a bit weird. The original error message would leave the impression Cloudflare cant be reached at all, otherwise there should be at least a Cloudflare error. However the trace page does show the request goes through.

Unless iOS’ Safari (and yes, Chrome is just a Safari shell on iOS) does some error hiding (like IE used to do for some errors).

What about that?

Plain http works as intended everywhere. Site loading perfectly. My co-worker is on lunch, but I am going to have her test the https://test.* again once she’s back.

Hi @paul33, question and a suggestion.

Question - do the issues with iOS device happen only on the mobile network or on wifi as well? If only mobile, only Rogers or other operators, too?
Suggestion - As you trouble shoot this with your colleague, on the Network tab, turn off HTTP/2?

If /cdn-cgi/ hadnt worked, I would have pointed towards TLS. But with it working :confused:

I turned off HTTP2, and it is working on both wifi and Rogers now. Does this mean we cannot use http2, because iOS/Safari is having issues with it?

EDITED because I can no longer reply? I’ve reached my limit…


try this set TLS minimum to TLS v1.2 and re-enable HTTP/2

Done, back to not being able to reload page.

Removed h2c from protocols on origin apache server. Do I need to refresh cache?