Weird SSL mismatch appeard!

Actually idk what went wrong here, today i created a new sub domain

https://secured.stream.dopehosting.io/ after i turned cf on i started to get mismatch error, cf is on for all sub domains including main one https://dopehosting.io

[email protected]:~# curl -vvv https://secured.stream.dopehosting.io/
*   Trying 104.24.109.130...
* TCP_NODELAY set
* Connected to secured.stream.dopehosting.io (104.24.109.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

in backend i’m using Nginx + Let’s encrypt SSL configuration on nginx is the same for all dopehosting.io and all *.dopehosting.io

        ssl_protocols             TLSv1.1 TLSv1.2 TLSV1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_certificate           /hostdata/secured.stream.dopehosting.io/ssl/fullchain.pem;
        ssl_certificate_key       /hostdata/secured.stream.dopehosting.io/ssl/privkey.pem;
        ssl_dhparam               /ssl/dh2048.pem;
        ssl_session_cache         shared:SSL:5m;
        ssl_session_timeout       1d;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate   /hostdata/secured.stream.dopehosting.io/ssl/fullchain.pem;

Options in Cloudflare are

crypto => SSL => Full
crypto => Authenticated Origin Pulls => OFF
crypto => Minimum TLS Version => 1.0
crypto => TLS 1.3 => Tried Both On/Off the subdomain doesn't work

Any idea what i’ve done wrong here?! (the subdomain works on https if cf is off but once i turn cf on it get mismatch err)

Thanks.

This is a host on the second level of its domain and Cloudflare does not support such deep levels on their free universal certificates. You will need a $10/month dedicated certificate if you want that host on HTTPS. Alternatively you can unproxy it and point it straight to your server.

1 Like

lol i was 1h testing and testing thanks for info!

This topic was automatically closed after 30 days. New replies are no longer allowed.