Hello,
I have SSL_ERROR_NO_CYPHER_OVERLAP or similar in all browsers.
My website is protected by Cloudflare for more then year. On Jun 11th something happened with Cloudflare SSL certificate exposed to clients / visitors so clients can not connect. I have search engines issues too (some pages were deleted from search results and it’s critical).
The origin has valid Let’s Encrypt certificate. The protection is full (strict). I did not changed any settings
csupdate.*ru (remove *)
It iw posinted to Cloudflare nameservers for few years and Cloudflare is known for its stability, but now the number of visits dropped to zeto due to wrong certificate installed…
you can either grey-cloud the DNS entry to bypass Cloudflare or I think there’s a workaround using the API to request someone other than Digicert handle the certificate
I’m trying to find the thread with the API workaround but haven’t found it yet, it’s on here somewhere though
I checked the API documentation and I see how to change the certificate issuer for Advanced Certificate Manager certificates (a premium service) but not for Universal SSL.
There might or might not actually be a workaround for Universal SSL
so best option might be to just grey-cloud the DNS entry until the situation changes
I wasn’t able to find “disable Universal SSL” button, but now I’ve found it. The status “pending validation (txt)” was for about 5 minutes abd now the certificate is issued. Curl check passes. I hope search engines will restore deleted pages in the search results soon.
If the issue is global, is there any possibility to track certificate update errors and trigger some actions or at least notifu users about the problem and recommended manual actions inside the mail?
P.S. I’ve expected the new Lets Encrypt certificate will work in old web browsers (e.g. Chrome on Windows XP) but unfortunately, there is same ERR_SSL_VERSION_OR_CIPHER_MISMATCH error as when another certificate issuer was used.
P.S.2 unfortunately, I can not find Edit post button here…
Thank you.
personally I don’t care about the ancient browsers much so I use minimum TLS 1.2 (supported by 97% of browsers) and once IE is officially dead I might even go 1.3-only
Honestly I never care about IE, it is the pre-installed browser that must be used for only 1 purpose - download other browser.
But handshake_failure for Google Chrome in Windows XP SP3 is the only reason why I can not enable full redirect of HTTP to HTTPS, there are still many users of old PCs who can not update browser due to technical reasons. There is another protection named Ddos-guard (russian-based), it had free plan (VERY limited compared to Cloudflare’s) and they disabled that free plan recently. They obtain Lets Encrypt certificates at the “proxy” server for your domain and it works in all old browsers. I don’t know how they managed it to work, but I believe Cloudflare will be perfect if they will fix this handshake_failure error.
Thank you for help, now it works. The solution is to disable Universal SSL and re-enable it manually.
I think I have shared certificate issued to Cloudflare SNI (free plan). Thank you for the link but I see no solution there. Does it mean if the certificate expired during this month my website will stop work without any prior notice rather then showing typical “certificate expired” or “your clock is wrong” with skip button? That’s stupid. Digicert are stupid if they broke the whole TLD instead of banning payments from one specific country (exactly Visa / Mastercard / Swift already did it). I’m not russian citizen but I use .ru TLD because $3.5 is a good price for domain rather then overpriced .com .net etc.