The system is unable to issue a generic SSL certificate

Website, Application, Performance Security
1

What is the name of the domain?

moeworld.top

What is the error message?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What is the issue you’re encountering

No matter what attempts I make, I can’t seem to issue a universal certificate (not that the validation doesn’t pass, but it says No certificates directly at Edge Certificates.)

What steps have you taken to resolve the issue?

(I’ve included the text here since the description can’t be written in one line)
Starting one day when I tried to add a new dns record, I realized that the new universal certificate was never issued.
Starting around 2024.7.18, I noticed that for all the new resolution records for my domains, no edge certificates were issued (not even in the SSL->Edge Certificates records).
Starting around 2024.7.21 12:57PM UTC+8 (which is the last recorded time the service was available), the edge certificates for the domain moeworld.top are all gone and unavailable.
Visits to any of the related domains resolving to cloudflare return a message similar to this.
This site cannot provide a secure connection to master.moeworld.top using an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
In fact, my entire account seems to be having this problem (not just the domain moeworld.top)

Steps I’ve tried

  1. call https://api.cloudflare.com/client/v4/zones/{domain_zone_id}/ssl/universal/settings to switch CA organization (currently Google)
  2. turn off HSTS and always use HTTPS to allow users direct http access to mitigate the problem
    3.Delete and re-add parsing records
  3. Try to Pause Cloudflare and re-open cloudflare.
  4. disable and re-open Universal SSL

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

None

Screenshot of the error

Snipaste_2024-08-01_20-23-55.jpg
Snipaste_2024-08-01_20-23-55.jpg1350×580 86.8 KB

2

Sorry you are down with this right now. it looks like there is not currently a certificate issued for the domain.

openssl s_client -connect moeworld.top:443 -servername woeworld.top < /dev/null 2>/dev/null | openssl x509 -noout -text |grep 'DNS:\|Issuer:\|Subject:';
Could not find certificate from <stdin>
000C530202000000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:

It also looks like you are using Cloudflare with a Partial CNAME Setup:

dig cname moeworld.top +short
moeworld.top.cdn.cloudflare.net.

Which means that SSL records are not issued unless there is a record in Cloudflare with the proxy on, and you have done DCV for the certificate.

I would recommend checking your account and confirming that both of these are true so you can get a certificiate issued.

3

Thank you for your reply.

I am indeed using cname to access cloudflare and have been using it that way for a very long time.

Regarding the two questions you mentioned

1. a record in Cloudflare with the proxy on

I have some second level domains that already point to cloudflare (and they used to be able to issue certificates properly)
Example: drive.moeworld.top (please manually check that you are on https when testing as I have forced https turned off)

C:/Users\MoeSakura>nslookup drive.moeworld.top
Server: MoeWrt.lan
Address: 192.168.1.1

Name: moeworld.top.cdn.cloudflare.net
Address: 172.67.168.65
          104.21.26.97
Alias: drive.moeworld.top

2.have done DCV for the certificate

In the Cloudflare dashboard, I can indeed see the relevant content
However, this seems to be only relevant for advanced certificates, so I hope I’m not misunderstanding the description
However, in the help information, I do see a note that reads

Create a CNAME record on _acme-challenge.moeworld.top in your authoritative DNS and point it to moeworld.top.110e0f87d4be3af4.dcv.cloudflare.com . One such record takes care of both the apex hostname as well as the wildcard.

I will try to add this record and then see if it works.
However, it seems that the certificates that were previously issued by cloudflare for cname access were done via http authentication, so I don’t really think it could be that.

By the way, I tried to test this on the ssl-tls/custom-hostnames page with SaaS access to some of the domains, which gave me a DCV record for each second-level domain, and then I was able to successfully issue the certificates after I manually added the relevant records (perhaps this could be a temporary solution).

May I ask what I should try to do next regarding how to resolve this issue?

4

Now, I added a DCV record like this

C:\Users\MoeSakura>nslookup -type=cname _acme-challenge.drive.moeworld.top
Server:  MoeWrt.lan
Address:  192.168.1.1

_acme-challenge.drive.moeworld.top      canonical name = drive.moeworld.top.110e0f87d4be3af4.dcv.cloudflare.com

And deleted, then re-added the drive.moeworld.tech parse record
Waiting to see if any certificates will appear in the Edge Certificates list.

By the way , this record was deleted by me because I realized that it might conflict with an existing TXT record, so perhaps I need to do a separate test afterward

Create a CNAME record on _acme-challenge.moeworld.top in your authoritative DNS and point it to moeworld.top.110e0f87d4be3af4.dcv.cloudflare.com. One such record takes care of both the apex hostname as well as the wildcard.
5

Well, it still looks like there are still no edge-certificates being issued correctly

It still shows no certificates as in the original screenshot

6

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.