Unable to use Cloudflare DNS proxy with Let's encrypt certificate

Hi all, as the title says I am getting the error ‘ERR_SSL_VERSION_OR_CIPHER_MISMATCH’ when using Cloudflare’s proxy on my domain.

I am totally new to this type of settings so I know that this is a issue on my end.
This is my current situation:

  • Registered domains:
  • “lightdestory com” & “www.lightdestory com”
  • ssh lightdestory com
  • “mensaersu projects lightdestory com” & “www mensaersu projects lightdestory com”
    (replaces space with a dot)
    All these domains points to a single server.

While creating the certificates with certbot I has some problems like TLS hand-shaking or bad NXDOMAIN for the www.* domains, the problem was that CF’s proxy was active, so I grayed out all the DNS record on the DNS tab and I have successfully obtained the certificates for my domains from Let’s encrypt.

Now when I enable the proxy I get the above error.
I am unable to use CF’s CDN and other services.

How can I fix this?

Currently all the DNS record are set as DNS Only and my IP is exposed but at least the website is accessible.

Thanks for your support,
LightDestory.

Hi @LightDestory,

Here is some info on the error, my first thought would be to check the SSL/TLS > Edge certificate section to see if it says ‘Active certificate’ or ‘Certificate pending validation’. If it doesn’t say active, you can disable and re-enable Universal SSL at the bottom of that page (covered in the tip linked below).

The error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Google Chrome prevents access to the site because it detects an issue with creating a valid connection to your site. This may be a temporary issue, and should resolve itself within 24 hours. If not, grey-cloud/deactivate Cloudflare so that the website uses the origin’s SSL certificate, see How do I temporarily deactivate Cloudflare? Activate Cloudflare again in 24 hours and try to access your website to see if the SSL certificate has been successfully deployed.

Other successful troubleshooting suggestions and more details about the error can be found in this Community Tip. Let us know if you continue to see issues after trying these tips, we’re happy to help further.

I enabled again the Universal SSL certificate and it is active.
Right now I have actived proxying on lightdestory.com & www.lightdestory.com
And they works as usual, but every sub domains other then that aren’t working at all.
ssh.lightdestory.com Works because to it is grayed out because to ssh I need direct access to my machine IP.

Now sub domains like www.mensaersu.projects.lightdestory.com and mensaersu.projects.lightdestory.com` aren’t working and returns that error.

I don’t know what to do anymore.

Currently the above 2 not working sub domains are proxied.

If I gray out them they will work but I will not be able to use Cloudflare services!

That sounds to me like Subdomain too deep

1 Like

I will note this as ultimate solution for my issue.

It is not possible to use my let’s encrypt certificates on these subdomains?
On some group they told me to set Full mode encyption (not the full strict) and disable the Universal SSL to just let Cloudflare use mine certificates.
It is a valid operation?

Sorry for my questions I am new on this world, I am a simple developer and I have never set my hands on this type of configuration.

Regads,
LightDestory.

You can only use custom certificates (e.g. Let’s Encrypt) on the Business plan or above.

If you want to use SSL/TLS on your site you have to use Cloudflare’s edge certificates, be that Universal SSL or a Dedicated cert.

I don’t think this would work.