SSL mismatch with Cloudflare + SSL + S3 + HSTS

I run a subdomain called Part One, which is part of a larger medical education website (LITFL).

Part One is all static HTML files served from an S3 bucket, whilst the rest of the website is wordpress hosted elsewhere. Previously, Part One was served over http with DNS via cloudflare; i.e. unsecured but functional. HSTS has now been enabled, which is giving a ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

My understanding from reading through the “SSL + cloudflare + S3” threads here and on reddit is that I need to enable SSL on the S3 bucket and then add a CNAME record in the Cloudflare DNS settings but I have been trying this for most of the day and unable to get this to work.

Currently what I have:

  • S3 bucket is set up to statically host a site

  • Cloudfront is serving Part One successfully over SSL (https://d2pn35jf18tyic.cloudfront.net/).

  • Currently the cloudfront is signed with an origin certificate from cloudflare, but I have tried both an AWS-generated and cloudfront cert.

  • Cloudfront is accessing the S3 bucket via the REST API endpoint with the default root object as index.html (enables SSL between S3 and cloudfront), but I have tried the web endpoint as well

  • DNS in cloudflare has CNAME records pointing to this cloudfront address

I have also tried accessing the S3 bucket directly from cloudflare, and with SSL/TLS set to flexible for that subdomain, without success.

Why is this broken and how do I fix it?

Alright, to do this you need 2 things:

  1. Cloudflare’s Proxy must be enabled, so traffic has to pass through Cloudflare. In the DNS tab the record has to be :orange:, not :grey:.
  2. The SSL/TLS mode has to be set to at least Full, but given the cert you have you can set it to Full (Strict). These are the best modes as the traffic to the origin is actually encrypted and not plain text.

Thanks for your quick reply.

The proxy status for the CNAME to record is :orange:, and the current SSL/TLS mode is Full (Strict) for the whole site - I understand that flexible is not desirable but I was curious if enabling it would help debug where the problem is (it did not).

Any other ideas?

Would you mind sharing the actual url? I see Cloudfront’s only.

The main site is <litfl.com>, the subdomain is <partone.litfl.com>.

Update: I haven’t set up a CNAME for the naked domain whilst I was troubleshooting, so there is only a Cloudflare record for www.partone.litfl.com

So, it seems to work when connecting directly showing the correct origin certificate. It gives me a 522 error, which seems like it’s the origin not accepting connections from Cloudflare’s IPs. Do you have the ability to add to an allowlist/whitelist Cloudflare’s IP (https://www.cloudflare.com/ips/)? Both IPv4 and IPv6.

Is the 522 error for the www. subdomain or the naked domain?

If this is what you are referring to, then yes.

I followed the instructions there previously (i.e. the cloudflare CNAME record directly to the S3 bucket), but was also unsuccessful.

I’ve put that policy back, replacing arn:aws:s3:::www.example.com/* with arn:aws:s3:::www.partone.litfl.com/*.

Alright, one thing. The second-level subdomain www.partone.litfl.com won’t be covered by Cloudflare’s standard certificate, so it will never work (unless you but Cloudflare’s Advanced Certificate). The not www one is the one that has issues to me.

Remove the www and it will work.

Would you mind sharing a screenshot of the Cloudflare DNS page? At least the records regarding that subdomain.

I just want to clarify something:

First; enabling that policy broke the d2pn35jf18tyic.cloudfront.net site; as all the links became restricted. I assume because cloudfront is not cloudflare, and so it was denied access? More broadly, do I need a bucket policy at all - if I give it public read access then cloudflare should be able to access it just fine? Obviously it’s less elegant but I’d rather get it working first.

Secondly, if the www. subdomain is a problem can I just point the naked domain to the cloudfront site? The naked domain is set up as a valid CNAME in the cloudfront distribution.

DNS settings, with some possibly confidential bits removed:

I am not sure if you made any changes to fix things, but the Cloudfront link works now for me, all links seem to point correctly.

I am not an expert in Cloudfront and S3 buckets, so not really sure what’s the best configuration there, but the configuration must be of serving a website on the partone.litfl.com hostname with either a valid certificate for that host or a Cloudflare Origin certificate for that domain (or *.litfl.com). Basically how it was at the beginning…

I mean the www.partone.litfl.com domain, that is not working under the default Cloudflare certificate which covers the biggest possible scope (litfl.com and *.litfl.com).


I would remove the last entry for the www.partone.litfl.com record at the bottom, that won’t work for sure.

Works now for me.

On this hostname?

https://partone.litfl.com

Yup, working for me now too! Thanks!

No idea what fixed it, but it fixed :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.