My main website is hosted on GitHub pages and uses their free SSL, and I have subdomains pointing to web services I run on a DigitalOcean droplet. Those services are behind a Caddy web-server (in a docker container) that acts as a reverse-proxy, while also getting SSL certs via Lets Encrypt. Originally I was using my registrars DNS (Google Domains), but I switched over to Cloudflare recently (for DNS) for the extra benefits it provides. Today the DNS changes finished propagating and I’m unable to access my site, getting the following error across my GitHub pages site and my web services:
This site can’t provide a secure connection
rooday.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
When I activated Cloudflare, I figured there would be issues if it tried handling SSL while Caddy was doing it, so I made the following changes to the settings in the SSL/TLS app:
SSL: off
HSTS: All settings enabled
Authenticated Origin Pulls: disabled
Minimum TLS Version: 1.0
TLS 1.3: Enabled
Automatic HTTPS Rewrites: Enabled
Universal SSL: disabled
As an attempted fix I tried turning HSTS off just now, but the changes may not have propagated yet. Does anyone have any tips? I just want Cloudflare to handle DNS and the related security that comes with that, as well as the caching benefits. I would like to keep SSL handled by GitHub and Caddy for the respective sites.
I paused my site on Cloudflare to see if I could access it again, which may be why it’s working right now. I just reactivated Cloudflare and turned off HSTS, waiting for the change to propagate and see what happens. Sorry for any confusion, I’m just trying out different ideas.
Yep, my sites are down again, even with HSTS off. Are there extra steps that must be done to allow Cloudflare to work when SSL is handled by other parties?
Yep, I’ll stop messing with it for now. What do you mean by domain status? I’ve had the domain for a couple years now with Google Domains, and the subdomains for the services have existed for a while as well. All have had SSL certs that have been working before I started using Cloudflare.
Also, that link you sent says to try grey-clouding the domains, but doesn’t that get rid of all the Cloudflare benefits? Is Cloudflare SSL absolutely required to get those?
Just a quick update, everything seems to be working fine and the certs have been authorized, so I think it’s all good. Thanks @sandro for all the help!