I’m getting the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when trying to access the www versions of my third level domains. i.e., www.b.a.website.com or http://www.b.a.website.com or https://www.b.a.website.com.
However, https://b.a.website.com and http://b.a.website.com are accessible. Additionally, first and second level domains are accessible with www no matter if it’s http https or without either i.e. www.a.website.com or http://www.website.com.
SSL/TLS settings are as follows:
Flexible (I’ve toggled full/strict with no luck)
Edge certificates are active for every third level domain i.e. *.a.website.com
Total TLS enabled via google trust services
Always use https enabled
Opportunistic encryption enabled
TLS 1.3 enabled
Automatic https rewrites enabled
Universal SSL enabled (only “disable” button is present)
DNS settings are as follows:
All cname and a name records are proxied through cloudflare
Cname record for www.website.com at target website.com
Cname record for *.website.com at the target website.com
Several cname records for every second level domain *.a.website.com (there are several second lvl domains like b.website.com or c.website.com etc.)
Auto ssl is off under “domains”
But under “ssl/tls status” it says “autossl domain validated”
I’ve read through every doc here and tried toggling things on/off. I also tried to set a page rule to www.*.*.website.com/* and /$1.$2.website.com/$3 … in an attempt to route all traffic to the https:// version and remove the www. from the requests.
I tried *www.*.*.website.com* and https://$2.$3.website.com$4 too.
The website second level domains receive a bunch of traffic but third level domains are all new and have 0 traffic.
What other options do I have here?
Is it expected for www versions of third level domains to be accessible? I’m doubtful someone is going to type in www.b.a.website.com but it does seem like best practice.
You need to create a record for www.c.b.a.org or *.c.b.a.org if you want Cloudflare to issue a certificate for it.
Your Wildcard means the DNS resolver answers for subdomains of any depth, but it cannot generate certificates unless you create a record of that depth manually.
Blockquote Do you have the hostname configured for your certificate?
@sandro where do I check this? Just under SSL/TLS > edge certs > manage?
@Laudian I can surely create one. However, the goal here is to avoid endless DNS records as it’s not very scalable because there will be countless third level domains in time. I figured the wildcard dns would work as well since it works on non www versions of third level domains
For anyone who finds this later, I was able to add 50 certs for third level domains under 1 advance cert. So the 10/month plan works for 100 advance certs, where 50 hostnames can be added under each totaling 5000 third level domains that can be covered.
The only downside to this is having to create advance certs for each one since I don’t believe double wildcards are permitted for advance certs.
@sandro I can’t thank you enough for the assistance and I’m going to leave it as is for now. However, do you know of any other ways to auto-create these or somehow wildcard them to avoid all the manual work?
Also @sandro and @Laudian , would you mind editing your comments and redacting/changing the domain name to example?