Understand and fix 'SSL-version or cipher mismatch'-error

I’m trying to move a site from one shared host ( HostHouse ) to another ( One.com ).

Now I’m trying to change the A-record for the root domain, to point to One’s servers. But when I do so, then it gives me the error:

This site can’t provide a secure connection
mydomain.tld uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
 
Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.

I’ve been in contact with One’s support 3 times, and gotten 3 different responses:

  1. The first supporter told me to add a CNAME-record, with the name: _acme-challenge and the value: mydomain.tld.acme.service.one.com.
  2. The next supporter told me to remove any txt-record called _acme-challenge and then wait 24 hours.
  3. The last supporter told me to delete any _acme-challenge-records and disable SSL/TLS in Cloudflare.

After every interaction, they tell me to wait 24 hours for the DNS to propagate - but I’m feeling they’re just telling me that to get rid of me.

I did all these three things, but I’m still left with the error and a site that has been down for a long time.


My question here is two-fold:
A) How do I get this to work?
B) How can I debug this error? Can I check that there is a valid certificate for the domain at One?


Update 1

I’ll add the answers to the questions from the nice and lovely reply from @cloonan .

Current state of SSL

I was advised to disable SSL in Cloudflare. I assumed that was because it could be conflicting with the certificate One.com tried to setup. But SSL is Off (under SSL/TLS).

Grey-cloud/deactivate Cloudflare

If you mean, to disable the proxy and use ‘DNS only’, then I tried that. And having left it for 8 hours without a result, then I rolled back to the old hosting provider (so the site didn’t lose to much traffic). But it is grey-clouded.

The curl-command

This is what it responds with:

1 Like

Good questions and sorry about the runaround answers you’re working with. Ugh. The best bet always is to have a site working with ssl in place prior to starting with cloudflare and then using the full (strict) setting for end-to-end encryption. You’re midway in the process now, however so the key to to fix that error. It may be a simple setting on your dashboard, what is the ssl setting currently?

To debug: The error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Google Chrome prevents access to the site because it detects an issue with creating a valid connection to your site. This may be a temporary issue, and should resolve itself within 24 hours. If not, grey-cloud/deactivate Cloudflare so that the website uses the origin’s SSL certificate, see How do I temporarily deactivate Cloudflare? Activate Cloudflare again in 24 hours and try to access your website to see if the SSL certificate has been successfully deployed.

Other successful troubleshooting suggestions and more details about the error can be found in this Community Tip.

WRT how to verify the certificate on the new origin server, you can use this command to test:
$ curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

(replace 123 with the IP of your new server, example.com with your domain)

If you see an error SSL certificate problem: self signed certificate in certificate chain, it means you’re probably set to full(strict) and don’t have a valid certificate on the origin to support that setting. Great #Tutorials on this as well that are worth checking out.

Let us know if you continue to see issues after trying these tips, we’re happy to help further. And, can you share the domain name here?

3 Likes

Thanks (A LOT!) for weighing in.

I’ve updated the question with answers to your questions. I’m looking into the links and tutorials you link to as we speak. But I’m afraid that I’m still in a pickle here. :see_no_evil:

2 Likes

What is the domain, @zeth?

1 Like

The domain is: dansketaler.dk
The IP for the (new) server at One.com is: {redacted}

But I’ve pointed the DNS back to their old hosting provider (HostHouse), so the site could get back running.

2 Likes

Thank you. If you can get the site functioning at the new host with ssl, that’d be perfect, then change the value of your A record to point to the new host and set ssl to full (strict).

If not, or you’re in a time crunch to move, set ssl to flexible and change the value of your A record to point to the new host. Encryption is not end-to-end. Options are described here, https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options

Once it’s working, at some point you should address that your server needs a TLS/SSL certificate to be secure. Your host or Cloudflare can provide that:

1 Like

I’ve tried with SSL off and with SSL to Full (strict); and both of those options gave the ‘SSL-version or cipher mismatch’-error.

I haven’t tried the flexible SSL-possibility. I’ll do that tonight, since they recieve a bunch of traffic during the mid-day (in Denmark).

When I do make a change to the SSL-option in Cloudflare. How long does it take before that change takes effect?

Yet again. Thanks a lot. I’ll name my first-born ‘Cloonan’ after you. :wink:

1 Like

I just tried that now: Pointing the A-record to the new servers and setting the SSL to flexible. But the error comes back immidiately (the next minute).

I assume that something is missing from the hosting setup on One’s servers. Right?
But how do I figure out what that is?

And when I change the SSL-option in Cloudflare. How long does it take before that change takes effect?

Hi,

A few guidelines how to progress here:

  • I see you have paused or grey-cloud the DNS record, so you can leave it like that for now;

  • When i try to test your website via Cloudflare i get handshake failure, this tells me you have Universal SSL disabled. AP: Enable the Universal SSL

  • Cloudflare SSL

    When using Cloudflare, your visitor’s traffic is proxied through our edge servers and then forwarded on to your origin web server.

    Eyeball ------1-------> Cloudflare ----2-----> origin

    This means the visitor needs to make a secure connection to Cloudflare and then Cloudflare will make a secure connection to your origin server (if full ssl is enabled). This means two SSL certificates are involved here, the first would be an edge SSL certificate (1) and is installed on our servers and the second is installed on your origin (2).

  • As i can see you currently have a valid CA SSL you can set the SSL/TLS option to Full(strict)

  • Try to orange-cloud/activate Cloudflare again but when testing the website use an incognito/private window.

1 Like

Thanks for weighing in, @RuiG

I figured it would be smart to try for a second domain to mirror the setup, to see if the same error appeared or not. And I did it for a development-domain, so it can remain in the fail-state for years, without anyone being sad.

The other domain I’ve done this with is: danbjorn.dk
So it’s the same setup: (using Cloudflare as nameservers and DNS - and using One as hosting).

The same error appears, right out of the box:
http://danbjorn.dk works.
https://danbjorn.dk throws an error straight away.

This time I haven’t disable the universal certificate (please note, that I did so on dansketaler.dk due to the advice given from a One-supporter).
And the SSL is set to Full (please note, that I disabled that on dansketaler.dk as well, due to advice given from a One-supporter).

The only other thing I’ve done is to setup the additional CNAME-record, that half of the One-supporters I’ve chatted with (3 of 5) said that I should add (!?!) . Which is this:

Type: CNAME
Name: _acme-challenge
VALUE: danbjorn.dk.acme.service.one.com

3 of the 5 One-supporters claims that the error goes away by leaving this record in 24 hours. Now I have the option to see if that is correct (for this development-domain).

Hi,

That CNAME record it’s from your hosting/Lets Encrypt, and it’s to validate and issue the certificate for your domain.
In order to be validated you will need to grey-cloud the CNAME record or pause Cloudflare, nothing else it’s needed.

If you check the CNAME right now it’s proxied:

dig +trace +nodnssec _acme-challenge.danbjorn.dk
(...)
danbjorn.dk.            86400   IN      NS      pola.ns.cloudflare.com.
danbjorn.dk.            86400   IN      NS      greg.ns.cloudflare.com.
;; Received 139 bytes from 193.176.144.15#53(s.nic.dk) in 48 ms

_acme-challenge.danbjorn.dk. 300 IN     A       104.28.30.23
_acme-challenge.danbjorn.dk. 300 IN     A       172.67.129.115
_acme-challenge.danbjorn.dk. 300 IN     A       104.28.31.23
;; Received 104 bytes from 108.162.193.115#53(greg.ns.cloudflare.com) in 8 ms

So as a rule when you have validation CNAME’s from other services out of Cloudflare you should grey-cloud them.

This is expected as at the moment your origin doesn’t have a certificate yet, so it will only succeed using port 80/HTTP.
At this point the only SSL/TLS option to use is Flexible, just make sure you don’t have a redirect configured at your origin. If you have, then remove it, and configure the redirect at our edge using a page rule.

Now back for the domain dansketaler.dk i can see the origin certificate it’s already in place:

* Server certificate:
*  subject: CN=*.dansketaler.dk
*  start date: Nov 27 01:18:07 2020 GMT
*  expire date: Feb 25 01:18:07 2021 GMT
*  subjectAltName: host "dansketaler.dk" matched cert's "dansketaler.dk"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.

So please enable the Universal SSL, it’s the reason why you are having ERR_SSL_VERSION_OR_CIPHER_MISMATCH on the subdomains you still have proxied

Enabling the Universal SSL will take no effect on the grey-cloud records, so you can easily test if the SSL at our edge is deployed without impact on your main website.

Remark: Flexible wouldn’t work with this domain as you have a redirect to HTTPS at your origin, this would create a loop:

 curl -ksvo /dev/null http://dansketaler.dk 2>&1  | egrep -i "< location|< http"
< HTTP/1.1 301 Moved Permanently
< Location: https://dansketaler.dk/

Hope this helps.

2 Likes

Awesome! Thanks for that.

I’ve just implemented it for danbjorn.dk (grey-clouded the CNAME for _acme-challenge) to ensure it works there, before rolling it out on dansketaler.dk .

I’ll give it some time to settle.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.