SSL not provisioned from one moment to the next

From one moment to the next, the website is unavailable (tls: handshake failure). Nothing has been changed on the server, certificate is still valid, SSL option is set to “Strict”, but ssl is still not provisioned by Cloudflare. What has happened?

Yes, seems your SSL certificate hasn’t been provisioned…
https://cf.sjr.org.uk/tools/check?4c456ed4e32b4e43b67f71588c0c2987#connection-server-https

Ensure Universal SSL is enabled here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

If it is, try disabling it, wait 2-3 minutes, then enable it again.

2 Likes

Hello sjr,
Thank you very much for your quick reply.
I actually had Universal SSL active, I followed your recommendation but the error still persists.

I have no more ideas.

Try setting all your proxied records to “DNS only”, wait 2-3 minutes, then turn the proxy on again.

2 Likes

Thanks again for your quick reply.
I set it to “DNS only” and the site was accessible. I then waited 5 minutes and switched back to proxy. Same error again. I had also paused Cloudflare, site was accessible again. Activated Cloudflare again, again the error.

I have now completely removed the domain from Cloudflare for 12 hours. Now I wanted to add it again and strange things are happening that I can’t explain. Cloudflare has scanned here for DNS entries and this is the result. Does it take these entries before? They don’t exist.

If you had a wildcard (*) DNS record, any hostname would match and so any that Cloudflare tests for would succeed and so be offered to add to your DNS.

2 Likes

That makes sense, thanks for the tip.
Unfortunately, this attempt did not help either. The problem still exists. I have noticed that the confirmation for the universal certificate is not executed.

There seem to be some records for _acme-challenge.pherotruth.fans that are returning Cloudflare IP addresses. Whatever they are, delete them all. They should be TXT records (so “DNS only”) if they exist at all. They may be proxied CNAMEs or due to a wildcard. Delete the wildcard if you don’t need it.

dig +short _acme-challenge.pherotruth.fans
104.21.29.145
172.67.149.99
2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.