SSL Issues - LetsEncrypt vs CloudFlare

Hello everyone,

I seem to have some weird error. My domain issues it’s own certificate using bash scripts and reloads the configurations.

When I sign a new cert for the domain I ask for both *.garbinc.ca and garbinc.ca

Through Cloudflare, requests are proxied. I tried disabling Universal SSL so I could manage it myself and CloudFlare issues the following error:

SSL_ERROR_NO_CYPHER_OVERLAP

I configure one A record in DNS and the rest are CNAME’s pointing to that A record.

https://garbinc.ca works however, when i try to use one of the CNAMES i get the above error.

Example: tunnel.garbinc.ca

Why is that?

Let me know if I can provide more information

  • Please note, i have the free version.

On another note, if I enable Universal SSL the cert for my *.garbinc.ca domains is always cloudflare…

Hi @GarbInC,

If you want to proxy your traffic through Cloudflare and want it to run over HTTPS, you need SSL enabled at Cloudflare as well as the certificate on your server. The Cloudflare cert secures the connection between the visitor and Cloudflare, and the server cert secures the part between Cloudflare and your server. Your domain is currently unproxied (:grey:) so Cloudflare is only providing DNS, this is why you see the certificate from your server.

On the Business plan or above, you can upload a custom certificate or you can enable the Advanced Certificate Manager ($10/month) for more contol.

What is the issue with the universal certificate?

Alright so as I understand it, the only way to benefit from the DDoS protection is to have everything proxied through CloudFlare.

If I only want to see LetsEncrypt I have to solely use unproxied DNS names, correct?

That would explain everything pretty much everything!

Thank you :slight_smile:

Yes, you can get a Let’s Encrypt cert from the Advanced Certificate Manager I mentioned, but that’s a paid feature and doesn’t add any benefit over the Universal cert.

No problem :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.