SSL & Cloudflare

How do I go about using my own SSL cert for my site through cloudflare? I don’t want to use cloudflares, i want to use my own but when I set up my own, it says it doesn’t work.

1 Like

You can only upload your own certificate on the Business plan. Are you already on this plan?

Can you screenshot and post this error message?

1 Like

This site can’t provide a secure connection

nodedeck.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I have a purchased SSL Cert, it’s set up correctly on my server but i get this error, does it have something to do with cloudflare?

Alright, let’s split the issue here:

If you have a Business plan or higher you can upload your certificate on Cloudflare. At the moment it doesn’t seem to exist anything on Cloudflare (neither your own nor Cloudflare’s Universal Certificate).

If you have a Free or Pro plan you can’t use your own certificate for the public facing portion of the connection, it doesn’t really matter though. Users don’t care about the certificate…


The best configuration is:

  1. have a valid certificate on your server (one of the free ones is the best solution, Cloudflare provides it’s own origin certificate that they accept)
  2. enable Full (Strict) as SSL mode
  3. enable Always Use HTTPS in the dashboard to prevent non-HTTPS connections
  4. ideally block all other non-Cloudflare IPs (cloudflare.com/ips) from connecting to the server
3 Likes

That’s the solution i was looking for. thanks.

Let me show you this…

I have an SSL installed on my server but I also have it here:

1- I have the SSL installed on my server
2- I have the SSL installed here on Cloudflare
3- I have full strict SSL enabeld on CF
4- I have always use HTTPS enabled.

ensure your web server is configured with Cloudflare supported TLS/SSL ciphers outlined at https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support

1 Like

I tried contacting a contact I had, haven’t yet received a reply. From what I can see it seems something went wrong with the certificate.

Two options:

  1. try disabling and re-enabling after a few minutes Universal SSL.
  2. open a support ticket. To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

To me here it looks like an error on connecting to Cloudflare, not something to the actual server. It doesn’t show the usual error page, but fails to connect at all.

Yeah could be, @President.Trump are you using any anti-virus software which does man in the middle HTTPS inspection of the connection between your local computer and HTTPS sites ? Could be anti-virus software’s TLS handshake with HTTPS site isn’t compatible?

It does the same to me, and @domjh.

1 Like

checking the negotiated ciphers shows possible issue with TLS protocol negotiated ? with * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

@President.Trump try in edge certificates tab for minimum tls version setting it to TLS v1.0 and wait a few minutes and then changing back to TLSv1.2 and see if may update Cloudflare edge servers negotiated TLS protocol

dig +short A nodedeck.com
104.28.27.207
104.28.26.207
172.67.171.110

ciphers=(ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA ECDHE-RSA-AES256-SHA384 AES256-SHA DES-CBC3-SHA ECDHE-RSA-AES256-GCM-SHA384)
domain=nodedeck.com
ip=104.28.26.207

for c in ${ciphers[@]}; do
echo -e "\ntest with $c"
curl --resolve $domain:443:$ip -sIkv https://$domain --cipher "$c" --tls-max 1.2 2>&1 | grep -A33 '* ALPN, offering ' | tee /tmp/curltest-$c.log
echo "saved $c test: /tmp/curltest-$c.log"
done
ls -lAht /tmp/curltest-*
for c in ${ciphers[@]}; do echo -e "\ntest with $c"; curl --resolve $domain:443:$ip -sIkv https://$domain --cipher "$c" --tls-max 1.2 2>&1 | grep -A33 '* ALPN, offering ' | tee /tmp/curltest-$c.log; echo "saved $c test: /tmp/curltest-$c.log"; done

test with ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-ECDSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [176 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved ECDHE-ECDSA-AES128-GCM-SHA256 test: /tmp/curltest-ECDHE-ECDSA-AES128-GCM-SHA256.log

test with ECDHE-RSA-AES128-GCM-SHA256
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [176 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved ECDHE-RSA-AES128-GCM-SHA256 test: /tmp/curltest-ECDHE-RSA-AES128-GCM-SHA256.log

test with ECDHE-RSA-AES128-SHA
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES128-SHA
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [176 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved ECDHE-RSA-AES128-SHA test: /tmp/curltest-ECDHE-RSA-AES128-SHA.log

test with AES128-GCM-SHA256
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: AES128-GCM-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [152 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved AES128-GCM-SHA256 test: /tmp/curltest-AES128-GCM-SHA256.log

test with AES128-SHA
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: AES128-SHA
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [152 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved AES128-SHA test: /tmp/curltest-AES128-SHA.log

test with ECDHE-RSA-AES256-SHA384
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES256-SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [176 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved ECDHE-RSA-AES256-SHA384 test: /tmp/curltest-ECDHE-RSA-AES256-SHA384.log

test with AES256-SHA
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: AES256-SHA
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [152 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved AES256-SHA test: /tmp/curltest-AES256-SHA.log

test with DES-CBC3-SHA
* ALPN, offering h2
* ALPN, offering http/1.1
* failed setting cipher list: DES-CBC3-SHA
* Closing connection 0
saved DES-CBC3-SHA test: /tmp/curltest-DES-CBC3-SHA.log

test with ECDHE-RSA-AES256-GCM-SHA384
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES256-GCM-SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [176 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
saved ECDHE-RSA-AES256-GCM-SHA384 test: /tmp/curltest-ECDHE-RSA-AES256-GCM-SHA384.log

ls -lAht /tmp/curltest-*
-rw-r--r-- 1 root root 459 Aug  7 17:23 /tmp/curltest-ECDHE-RSA-AES256-GCM-SHA384.log
-rw-r--r-- 1 root root 112 Aug  7 17:23 /tmp/curltest-DES-CBC3-SHA.log
-rw-r--r-- 1 root root 442 Aug  7 17:23 /tmp/curltest-AES256-SHA.log
-rw-r--r-- 1 root root 455 Aug  7 17:23 /tmp/curltest-ECDHE-RSA-AES256-SHA384.log
-rw-r--r-- 1 root root 442 Aug  7 17:23 /tmp/curltest-AES128-SHA.log
-rw-r--r-- 1 root root 449 Aug  7 17:23 /tmp/curltest-AES128-GCM-SHA256.log
-rw-r--r-- 1 root root 452 Aug  7 17:23 /tmp/curltest-ECDHE-RSA-AES128-SHA.log
-rw-r--r-- 1 root root 459 Aug  7 17:23 /tmp/curltest-ECDHE-RSA-AES128-GCM-SHA256.log
-rw-r--r-- 1 root root 461 Aug  7 17:23 /tmp/curltest-ECDHE-ECDSA-AES128-GCM-SHA256.log
1 Like

also openssl check shows non-Cloudflare issued SSL certificate from Sectigo ???

domain=nodedeck.com
echo -n | openssl s_client -connect $domain:443 -servername $domain -tls1_2 -state | openssl x509 -text
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 30236, ST = Georgia, L = Jonesboro, street = 8240 tara blvd, O = "NodeDeck, LLC.", CN = nodedeck.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read server session ticket
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
^C

ah looks like you disabled cloudflare ? as resolved DNS IP is no longer cloudflare’s

i retested your non-cloudflare direct IP and only 2 of the CF working ssl ciphers worked with your web server’s SSL configured ciphers

ls -lAht /tmp/curltest-*
-rw-r--r-- 1 root root 1.4K Aug  7 18:36 /tmp/curltest-ECDHE-RSA-AES256-GCM-SHA384.log
-rw-r--r-- 1 root root  445 Aug  7 18:36 /tmp/curltest-DES-CBC3-SHA.log
-rw-r--r-- 1 root root  443 Aug  7 18:36 /tmp/curltest-AES256-SHA.log
-rw-r--r-- 1 root root  123 Aug  7 18:36 /tmp/curltest-ECDHE-RSA-AES256-SHA384.log
-rw-r--r-- 1 root root  443 Aug  7 18:36 /tmp/curltest-AES128-SHA.log
-rw-r--r-- 1 root root  450 Aug  7 18:36 /tmp/curltest-AES128-GCM-SHA256.log
-rw-r--r-- 1 root root  453 Aug  7 18:36 /tmp/curltest-ECDHE-RSA-AES128-SHA.log
-rw-r--r-- 1 root root 1.4K Aug  7 18:36 /tmp/curltest-ECDHE-RSA-AES128-GCM-SHA256.log
-rw-r--r-- 1 root root  462 Aug  7 18:36 /tmp/curltest-ECDHE-ECDSA-AES128-GCM-SHA256.log

saved files <1KB are failed connections so only

  • /tmp/curltest-ECDHE-RSA-AES256-GCM-SHA384.log
  • /tmp/curltest-ECDHE-RSA-AES128-GCM-SHA256.log

had valid connections to your origin web server

cat /tmp/curltest-ECDHE-RSA-AES128-GCM-SHA256.log
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [141 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4688 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; postalCode=30236; ST=Georgia; L=Jonesboro; street=8240 tara blvd; O=NodeDeck, LLC.; CN=nodedeck.com
*  start date: Aug  7 00:00:00 2020 GMT
*  expire date: Aug  7 23:59:59 2021 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.

Yeah, I paused CF until i can figure out why it won’t work under CF…

your origin is giving 503 unavailable error too

domain=nodedeck.com
curl -Iksv https://$domain 2>&1 | sed -e "s|$ip|ipaddress|g"
*   Trying ipaddress:443...
* Connected to nodedeck.com (ipaddress) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4688 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; postalCode=30236; ST=Georgia; L=Jonesboro; street=8240 tara blvd; O=NodeDeck, LLC.; CN=nodedeck.com
*  start date: Aug  7 00:00:00 2020 GMT
*  expire date: Aug  7 23:59:59 2021 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> HEAD / HTTP/1.1
> Host: nodedeck.com
> User-Agent: curl/7.69.0-DEV
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Date: Fri, 07 Aug 2020 18:42:34 GMT
< Server: Apache
< Pragma: no-cache
< Expires: Wed, 11 Jan 1984 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Retry-After: 3600
< Set-Cookie: PHPSESSID=5906846580de99b7af90c3b7c9900096; path=/
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
HTTP/1.1 503 Service Unavailable
Date: Fri, 07 Aug 2020 18:42:34 GMT
Server: Apache
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Retry-After: 3600
Set-Cookie: PHPSESSID=5906846580de99b7af90c3b7c9900096; path=/
Connection: close
Content-Type: text/html; charset=UTF-8

In this (https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) page, what is the SSL setting? That must be Full (Strict), Full or Flexible (not recommended, though). It shouldn’t be Off.

Okay.

I’ve uninstalled all my SSL’s that I made myself or were signed elsewhere.

I re-enabled CF and CF SSL. Made it Full SSL (Strict).
I generated an SSL Cert under the Origin Server tab and installed it on my server.

I’ve set the TLS to 1.0 to see if it helps. i’m still getting the error.

UGH!

Open a ticket. @Brian_M and @cloonan look for it :slight_smile:
PS: post the number later to help things.

1 Like

I think I may have fixed it, can you please check?

It seems you did!

That is great, thanks for verifying and thanks for your help.

Thanks @everyone for the help.

Hi @President.Trump. Just for completeness would you mind describing what you did to fix the issues? It may help others in the future who have similar problems and search the posts.

1 Like