SSL_ERROR_NO_CYPHER_OVERLAP // Can I check if my site is working while I wait 24 hours for it to be verified?


#1

I’m running nginx on Windows 10 to reverse proxy Organizr, which serves as a frontend to my htpc services (sonarr, radarr, plex etc).

I have a Google Domain and a Powershell script running once an hour to update my ip with their included DDNS, so visiting mydomain.com drops me on organizr (my nginx root). This was all working fine this morning so I decided to secure it using Cloudflare.

I took the following steps:

  • Added my domain to my cloudflare account

  • Changed nameservers on my google domain account to amanda.ns.cloudflare.com / donald.ns.cloudflare.com

  • Created origin certificate and private key with this guide. Saved them in c:/nginx/certs

  • Added the following to my nginx config and restarted it:
    server {
    listen 80;
    listen 443;
    ssl on;

    ssl_certificate c:/nginx/certs/origincertificate.pem;
    ssl_certificate_key c:/nginx/certs/privatekey.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

  • On the Crypto tab of the dashboard I changed SSL to Full.

Now if I try:

  1. The machine’s ip (local network) or mydomain.com (local network or on my phone over LTE) I get 400 Bad Request: The plain HTTP request was sent to HTTPS port.

  2. The machines ip prefaced by https:// I get The certificate is only valid for the following names: *.mydomain.com, mydomain.com Error code: SEC_ERROR_UNKNOWN_ISSUER

  3. https://mydomain.com I get SSL_ERROR_NO_CYPHER_OVERLAP

So #1 I’m not too worried about. I think I can hit the Always use HTTPS toggle in the Crypto section of the Cloudflare dashboard to fix that?
#2 I guess I didn’t add my local ip as a hostname when I generated the certificate. I was able to add an exception in firefox although I get a Connection is not Secure icon in the address bar.
#3 I get the error above. This support page says that it can take up to 24 hours for the cert to verify. I realise I’m using a free service, so I’m ok with that, I’m just wondering if there’s any way to check that I’ve done everything right in the meantime? It would be really annoying to wait until tomorrow, only to find out I’ve done something wrong, update a setting and need to wait another 24 hours to know if I’d fixed it or not.


#2

Try to flush your DNS
https://documentation.cpanel.net/display/CKB/How+To+Clear+Your+DNS+Cache#HowToClearYourDNSCache-Windows%C2%AE8

ipconfig /flushdns
ipconfig /renew


#3

No dice. Cleared firefox’ cache as well


#4

I’m looking at Issue #3, a regular browser visit to your website.

Just guessing, but that ssl_ciphers setting may be incompatible with how Cloudflare makes the SSL connection to your site.

What’s the SSL status on your Crypto page here at Cloudflare? If you set your SSL to Flexible, does it work?


#5

So I headed out for a few hours and when I came back it’s working again. I also tried on another wifi network and it’s working there as well. I guess it was just a case of waiting it out until the certificate went through the motions?
I’ve also enables Always use HTTPS in the Dashboard/Crypto and that seems to be working as well.

Currently it’s not working on my phone over LTE but I’m hoping that’s a case of not being able to flush dns or maybe the cert is just slower to propagate to that network?

EDIT: My SSL is set to Full @sdayman


#6

This topic was automatically closed after 14 days. New replies are no longer allowed.