Universal SSL edge cert in errored state


My zone, williammck.net, hasn’t been able to provision its edge certificate since I cancelled ACM in June.

I’ve tried disabling Universal SSL for 48+ hours and re-enabling, with no luck.
I tried opening a support ticket (#2559177), however it was closed automatically due to not being on a paid tier.
@MoreHelp Any chance y’all can get this fixed? I’d really appreciate it.

I have escalated your ticket.


May I ask have you tried this step with a proxied :orange: hostname williammck.net and www.williammck.net? :thinking:

And you’re sure the “Pause Cloudflare for this site” option from the CF dashboard → Overview, bottom-right corner, isn’t being enabled?

Since you’ve canceled ACM, was there any other DNS record (hostname) like subB.subA (deep-level sub-domain due to the usage of the ACM, I guess?) left at the DNS tab of Cloudflare dashboard? :thinking:

While checking the DNSSEC, it is ok so far.

Yep - I had to turn off proxying for both the apex and www due to the SSL cert not being valid, however even when I had it enabled it wouldn’t renew the cert.

Nope, moved those to another domain. Everything on the zone is currently just one level.

Are you saying that when you proxy your site through Cloudflare, the backup certificate is not working?

Correct. Chrome shows ERR_SSL_VERSION_OR_CIPHER_MISMATCH, cURL shows a similar SSL/TLS related error. (curiously, mentioning SSLv3?)

17:15:28 ⌁ [:~] % curl -vvv https://williammck.net
*   Trying
* Connected to williammck.net ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure

I’ve set it back to orange cloud just now to collect that info, but even prior to that, the backup cert wasn’t taking effect. Basically was stuck returning ERR_SSL_VERSION_OR_CIPHER_MISMATCH for a month or so.

Changing the CA allowed ACME to be validated, and the issue could be solved.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.