SSL_ERROR_NO_CYPHER_OVERLAP with CNAME redirect

Good afternoon Cloudflare Community,

Recently, a partner of ours requested we redirect one of their old A records to a new webpage in order to continue using the URL. In turn, we had them do the following:

Remove:

A Record: freecollege –> IP 35.208.253.118

Add:

CNAME Record: freecollege –> opeiu.easterngateway.edu

However, after 3 days of propagation, the new CNAME record seems to be causing the following error in both Chome and Firefox:

SSL_ERROR_NO_CYPHER_OVERLAP

How would we fix this?

What’s the domain that “freecollege” is a subdomain of? Is the CNAME orange-clouded or grey-clouded?

“freecollege” is a subdomain of OPEIU’s homepage; however, they don’t use Cloudflare.

In turn, we have our own CNAME record that points from OPEIU (dot) easterngateway (dot) edu that is orange-clouded.

(For some reason, Cloudflare Community isn’t allowing me to post URLs right now.)

Okay, so freecollege.opeiu.org is a CNAME (on non-Cloudflare DNS) to opeiu.easterngateway.edu

opeiu.easterngateway.edu is orange-clouded (proxied) in Cloudflare

here’s the issue… when a web client wants to connect to freecollege.opeiu.org, they do an nslookup and see that it’s a CNAME for opeiu.easterngateway.edu, so they do an nslookup for that and get a few IPs, but they’re Cloudflare IPs. So they connect to one of those Cloudflare IPs and ask for “freecollege.opeiu.org”. But Cloudflare has no idea what “freecollege.opeiu.org” is; it has no valid SSL certificate for it because it’s not something that even exists on Cloudflare

if the DNS for opeiu.org were on Cloudflare I don’t think it would be an issue, I think Cloudflare has mechanisms to recognize when a grey-clouded CNAME is being pointed to an orange-clouded name and work around it (maybe only within the same CF account though). Or you could orange-cloud the CNAME and it would work that way too.

easiest way to resolve this would be to grey-cloud opeiu.easterngateway.edu but if you don’t want to do that, you could maybe create another subdomain like greycloud.easterngateway.edu (grey-clouded obviously) and ask them to point the CNAME to that.

Long story short, however you do it, you can’t proxy this traffic through Cloudflare; Cloudflare can’t present a valid SSL certificate freecollege.opeiu.org because that domain’s not even on Cloudflare, also, Cloudflare’s proxy servers would have no idea of where to route the traffic to. The traffic needs to hit your origin server, where you (hopefully) already have a valid SSL certificate for freecollege.opeiu.org set up and ready to go.

If you really, really wanted the traffic proxied through Cloudflare, you’d have to ask them to do an HTTP redirect (on their side) so that traffic to freecollege.opeiu.org would get completely redirected to opeiu.easterngateway.edu. Doing it that way of course visitors would see opeiu.easterngateway.edu instead of freecollege.opeiu.org in their address bar.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.