Universal SSL edge cert in errored state

williammck · September 17, 2022, 3:16am

Hello!

My zone, williammck.net, hasn’t been able to provision its edge certificate since I cancelled ACM in June.

I’ve tried disabling Universal SSL for 48+ hours and re-enabling, with no luck.
I tried opening a support ticket (#2559177), however it was closed automatically due to not being on a paid tier.
@MoreHelp Any chance y’all can get this fixed? I’d really appreciate it.

Cyb3r-Jak3 · September 17, 2022, 12:05pm

I have escalated your ticket.

fritex · September 17, 2022, 6:11pm

May I ask have you tried this step with a proxied hostname williammck.net and www.williammck.net?

And you’re sure the “Pause Cloudflare for this site” option from the CF dashboard → Overview, bottom-right corner, isn’t being enabled?

Since you’ve canceled ACM, was there any other DNS record (hostname) like subB.subA (deep-level sub-domain due to the usage of the ACM, I guess?) left at the DNS tab of Cloudflare dashboard?

While checking the DNSSEC, it is ok so far.

williammck · September 17, 2022, 9:55pm

Yep - I had to turn off proxying for both the apex and www due to the SSL cert not being valid, however even when I had it enabled it wouldn’t renew the cert.

Nope, moved those to another domain. Everything on the zone is currently just one level.

sdayman · September 17, 2022, 10:03pm

Are you saying that when you proxy your site through Cloudflare, the backup certificate is not working?

williammck · September 17, 2022, 10:19pm

Correct. Chrome shows ERR_SSL_VERSION_OR_CIPHER_MISMATCH, cURL shows a similar SSL/TLS related error. (curiously, mentioning SSLv3?)

17:15:28 ⌁ [:~] % curl -vvv https://williammck.net
*   Trying 104.21.4.161:443...
* Connected to williammck.net (104.21.4.161) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

I’ve set it back to orange cloud just now to collect that info, but even prior to that, the backup cert wasn’t taking effect. Basically was stuck returning ERR_SSL_VERSION_OR_CIPHER_MISMATCH for a month or so.

jochen · September 20, 2022, 7:42am

Changing the CA allowed ACME to be validated, and the issue could be solved.

system · September 23, 2022, 7:43am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.