SSL on a Dreamhost hosted site w/ Cloudflare as DNS not working


#1

I have Dreamhost request an Let’s Encrypt SSL cert for my site and I’m using Cloudflare as a DNS. If I access the site directly it is encrypted fine with https. When I turn on Cloudflare for that domain I get this error:

This site can’t provide a secure connection

ariston.staging.cafevagrant.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
HIDE DETAILS
Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.

Also I don’t understand why Dreamhost recommends Flexible SSL. If the cert is for the website domain, when Cloudflare is accessing the site shouldn’t it be secure?


#2

Cloudflare’s Universal SSL cert is for example.com and *.example.com The certificate would cover staging.cafevagrant.com under the wildcard but it doesn’t (can’t) cover ..example domains such as ariston.staging.cafevagrant.com.

To work around this you could either use a different second level domain name to cover that domain (e.g. staging2.example.com) or you can purchase a dedicated certificate for staging.example.com and *.staging.example.com which would cover child domains of the staging.example.com domain.


#3

Thanks for the information, I didn’t know that’s how the certs worked. However, I have a Let’s Encrypt SSL cert specifically for ariston.staging.cafevagrant.com on Dreamhost. Does this mean that SSL Cert’s are dealt with on the DNS level since they can’t be used?


#4

When a site is orange clouded (proxying through Cloudflare) then Cloudflare’s edge becomes the SSL endpoint for client communications. We then evaluate the request to determine what if any requests need to be made to the origin and we initiate a new SSL session to the backend where the client certificate you have installed at Dreamhost is used.

So you have a valid SSL certificate on the backend, but the clients connect to us where there isn’t a valid cert.

You could also choose to bypass Cloudflare (gray cloud the record) in which case we’d no longer be the client SSL endpoint but instead they would connect directly to the Dreamhost server and use it’s SSL certificate.