Universal SSL Edge Certificate Pending Validation

What is the name of the domain?

cybar.dev

What is the error number?

N/A

What is the error message?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What is the issue you’re encountering

Edge Certificate validation is perpetually pending for over a week.

What steps have you taken to resolve the issue?

  • tried manually adding TXT records from email
  • tried manually adding TXT records from Dashboard (SSL/TLS > Edge Certificates)
  • tried disabling Universal SSL, wait 1 hr, enable Universal SSL, wait 1 hr, check website
  • tried Purge Everything in cache settings
  • tried waiting >24 hrs
  • praying

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

  • allow SSL certificate to expire
  • attempt to renew Universal SSL
  • fail miserably in several different ways

Screenshot of the error

Before someone suggests - I don’t want to change from Flexible to anything else. It was working fine with Flexible before, and I want to get back to that state. Some of my subdomain connections (Teespring and Vercel) probably require Flexible (grey cloud instead of orange for DNS proxy), from what I recall, and I do not want to lose those connections.

By using Flexible, you are essentially lying to your customers that their connection is securely encrypted when it is actually not.

DNS-Only (grey cloud) means that you are not using Cloudflare for that name, so Cloudflare SSL settings do not apply to those hostnames in any way.

4 Likes

I suggest praying to Namecheap, if you require assistance.

Cloudflare has never been running algorithm 1 (RSAMD5) with their DNSSEC, maybe you want to change it to algorithm 13 (ECDSAP256SHA256) through you registrar?

That said, I will still strongly advice you to change that Flexible, to Full (Strict), so that the users of cybar.dev can actually trust the website.

3 Likes

Ok, I’m switching to Full (strict) and toggle-cycling Universal SSL. Will get back to this thread with an update in an hour or so if it fixes the issue.

As for lying to people…

  • If it’s not meant to be used, it shouldn’t be there.
  • I’m the main user of my sites. They’re usually only static webpages, not webapps with backends.
  • Don’t think it’s possible to lie to myself…

Regardless, if it works, I’ll keep it Full (Strict). Thanks for the suggestion.

I see the following on Namecheap:

I changed the Algorithm to 13 as you suggested. But there’s another column saying “Digest”. Do I have to change the value of that? If so, to what? (where to get that value, Namecheap, Cloudflare, or elsewhere?)

That is absolutely correct. Sadly, Cloudflare disagrees.

The content of your website does not matter at all, as Man in the Middle attackers can change the content however they want.

The thing is, if you don’t think your site needs to be secure, you could always change SSL to Off instead of Flexible. That way, potential visitors know that the connection is not encrypted and can choose whether they want to visit anyway.

With Flexible, it looks like the traffic is encrypted when it’s actually not, and people might trust it more than they should.

But honestly. Flexible SSL mode was introduced back when SSL certificates were expensive and most small sites couldn’t afford SSL. Many hosts didn’t even offer you the option to use HTTPS, even if you wanted to pay for a certificate.

Today, most certificates are free and there is no good reason not to secure connections with HTTPS.

3 Likes

Thanks a lot for all your help. That all worked, so my site(s) are back up again. Me happy~ :3

And thanks for the links, explanations, and detailed information. Learned a lot more in this one hour than the last week trying to solve it myself… Thanks again~

I have marked what I think is the solution - a combination of:

  • Flexible → Full (Strict)
  • Set correct DNSSEC algorithm
3 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.