Unsupported Protocol when using SSL from Caddy

My main website is hosted on GitHub pages and uses their free SSL, and I have subdomains pointing to web services I run on a DigitalOcean droplet. Those services are behind a Caddy web-server (in a docker container) that acts as a reverse-proxy, while also getting SSL certs via Lets Encrypt. Originally I was using my registrars DNS (Google Domains), but I switched over to Cloudflare recently (for DNS) for the extra benefits it provides. Today the DNS changes finished propagating and I’m unable to access my site, getting the following error across my GitHub pages site and my web services:

This site can’t provide a secure connection

rooday.com  uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

When I activated Cloudflare, I figured there would be issues if it tried handling SSL while Caddy was doing it, so I made the following changes to the settings in the Crypto tab:

• SSL: off
• HSTS: All settings enabled
• Authenticated Origin Pulls: disabled
• Minimum TLS Version: 1.0
• TLS 1.3: Enabled
• Automatic HTTPS Rewrites: Enabled
• Universal SSL: disabled

As an attempted fix I tried turning HSTS off just now, but the changes may not have propagated yet. Does anyone have any tips? I just want Cloudflare to handle DNS and the related security that comes with that, as well as the caching benefits. I would like to keep SSL handled by GitHub and Caddy for the respective sites.

Your site actually loads but it points straight to Github, so if there are any SSL issues you’d need to check out the Github configuration.

I paused my site on Cloudflare to see if I could access it again, which may be why it’s working right now. I just reactivated Cloudflare and turned off HSTS, waiting for the change to propagate and see what happens. Sorry for any confusion, I’m just trying out different ideas.

Yep, my sites are down again, even with HSTS off. Are there extra steps that must be done to allow Cloudflare to work when SSL is handled by other parties?

It is better to keep the configuration when asking here for help, otherwise nobody can reproduce it.

It appears Cloudflare hasnt issued your certificate yet. What is the domain status and what is the SSL status? Maybe post screenshots.

Yep, I’ll stop messing with it for now. What do you mean by domain status? I’ve had the domain for a couple years now with Google Domains, and the subdomains for the services have existed for a while as well. All have had SSL certs that have been working before I started using Cloudflare.

As for screenshots, of which would be helpful?

Can you post a screenshot of your “Crypto” section?

Also, check out Community Tip - Fixing ERR SSL VERSION OR CIPHER MISMATCH in Google Chrome

Here’s my Crypto tab:

2019-01-31-16-51-dash.cloudflare.com.png1483×3224 479 KB

Also, that link you sent says to try grey-clouding the domains, but doesn’t that get rid of all the Cloudflare benefits? Is Cloudflare SSL absolutely required to get those?

Your SSL is off altogether, you need to enable it at the bottom of the page and set the mode to “Full strict” in the first setting.

Will that cause issues if I’m using SSL from GitHub and Caddy, or does that not matter?

That should not matter.

Alright, I’ll go make those changes and post back in a bit with results!

It should be faster but it can take up to 24 hours to be fully working.

Well everything seems to be working right now, so thanks for the help! I still see:

Universal SSL Status: Authorizing Certificate

Will issues arise when the cert is finalized?

Unlikely but of course a possibility, we’ll be able to tell only when everything is in place.

Just a quick update, everything seems to be working fine and the certs have been authorized, so I think it’s all good. Thanks @sandro for all the help!