Third Level Domain Error Cipher Mismatch

I’m getting the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when trying to access the www versions of my third level domains. i.e., www.b.a.website.com or http://www.b.a.website.com or https://www.b.a.website.com.

However, https://b.a.website.com and http://b.a.website.com are accessible. Additionally, first and second level domains are accessible with www no matter if it’s http https or without either i.e. www.a.website.com or http://www.website.com.

SSL/TLS settings are as follows:

  • Flexible (I’ve toggled full/strict with no luck)
  • Edge certificates are active for every third level domain i.e. *.a.website.com
  • Total TLS enabled via google trust services
  • Always use https enabled
  • Opportunistic encryption enabled
  • TLS 1.3 enabled
  • Automatic https rewrites enabled
  • Universal SSL enabled (only “disable” button is present)

DNS settings are as follows:

  • All cname and a name records are proxied through cloudflare
  • A record to target ip
  • Cname record for www.website.com at target website.com
  • Cname record for *.website.com at the target website.com
  • Several cname records for every second level domain *.a.website.com (there are several second lvl domains like b.website.com or c.website.com etc.)

Cpanel

  • Auto ssl is off under “domains”
  • But under “ssl/tls status” it says “autossl domain validated”

I’ve read through every doc here and tried toggling things on/off. I also tried to set a page rule to www.*.*.website.com/* and /$1.$2.website.com/$3 … in an attempt to route all traffic to the https:// version and remove the www. from the requests.

I tried *www.*.*.website.com* and https://$2.$3.website.com$4 too.


The website second level domains receive a bunch of traffic but third level domains are all new and have 0 traffic.

What other options do I have here?

Is it expected for www versions of third level domains to be accessible? I’m doubtful someone is going to type in www.b.a.website.com but it does seem like best practice.

Though if you already have an ACM certificate, you probably simply do have the hostnames in your certificate. Post the URLs.

You should never do this. Not only is this unrelated, choosing one of the outdated legacy modes will only make your site insecure. Always use Full Strict.

4 Likes

Here is one of the urls in pieces. Simply remove the spaces.

www.b.a.example.com [edited]

We initially had it set to flexible and I’m just trying to change as little as possible. I can surely set it to strict though.

Never use Flexible, there won’t be any encryption. Always Full Strict.

Can you post a screenshot of https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates?

2 Likes

[edited]

Here it is ^

Do you have the hostname REDACTED configured for your certificate?

That will be aforementioned issue.

2 Likes

You need to create a record for www.c.b.a.org or *.c.b.a.org if you want Cloudflare to issue a certificate for it.
Your Wildcard means the DNS resolver answers for subdomains of any depth, but it cannot generate certificates unless you create a record of that depth manually.

The OP already has a DNS entry.

This is an SSL issue.

1 Like

The OP has a DNS entry for *.b.a.org if I understand his description correctly.

The certificate issued for that record would not cover www.c.b.a.org however.

No, the mentioned DNS entry works fine, SSL is the issue and that will be because the OP won’t have that covered in his ACM certificate.

1 Like

Blockquote Do you have the hostname configured for your certificate?

@sandro where do I check this? Just under SSL/TLS > edge certs > manage?

@Laudian I can surely create one. However, the goal here is to avoid endless DNS records as it’s not very scalable because there will be countless third level domains in time. I figured the wildcard dns would work as well since it works on non www versions of third level domains

Correct, where you took the screenshot. You only showed 20 hostnames, verify that you also have an entry for the desired hostname, or as mentioned wildcard.

And no, you don’t need to create DNS entries, DNS works. At least for the provided example.

1 Like

Got it. I do not have an edge cert for *b.a.website.com…only *.a.example.org and other states.

Do you think I need to order advance certificates for *b.a.example.org and the others? Looks like I can have up to 48 on the pro plan but that won’t get us too far.

Right wildcards only support one level. You do need to include that hostname (or as wildcard) in your certificate, otherwise SSL will not work.

If ACM does not work, you could only upgrade to a Business plan where you can provide your own certificate. Then, you’d be only limited by what the CA provides.

1 Like

My personal recommendation would be to skip “www” in this context. That is already quite an elaborate hostname :slight_smile:

2 Likes

Got it. I thought edge certs were automatically created based off of anything proxied through cloudflare but it seems they correlate with dns records, if I’m not mistaken at least.

Let me try to create the advance cert for b.a and I’ll circle back around.

I tried to set a page rule to skip www entirely. Is there another way to achieve this?

A page rule for www on HTTPS requires a certificate, if you have that you don’t need to skip it and if you don’t, the redirect will not work either.

1 Like

Alright, I created an advance cert as you instructed. It’s initializing but I’ll follow up this evening.

Fingers crossed this works and I can’t thank you enough for the assistance.

1 Like

No worries, certificates can always be tricky, even more so when you try to cover an entire US state :smile:

The whole thing may not be really scalable, however. I would reconsider it. Maybe you can have some information as part of the path.

But once the certificate was issued for that particular hostname, it should work.

1 Like

IT WORKS!!!

For anyone who finds this later, I was able to add 50 certs for third level domains under 1 advance cert. So the 10/month plan works for 100 advance certs, where 50 hostnames can be added under each totaling 5000 third level domains that can be covered.

The only downside to this is having to create advance certs for each one since I don’t believe double wildcards are permitted for advance certs.

@sandro I can’t thank you enough for the assistance and I’m going to leave it as is for now. However, do you know of any other ways to auto-create these or somehow wildcard them to avoid all the manual work?

Also @sandro and @Laudian , would you mind editing your comments and redacting/changing the domain name to example?

1 Like