When I activate Cloudflare it ignores my A Record and points to the Cloudflare name-server IP


#1

I took over this Cloudflare account for a client. It has correct A records added to the DNS that should point to the hosting account but when I toggle the Cloudflare icon to ON (Orange) the DNS immediately propagates to a set of two IP’s that are not correct.

Am I missing something in my setup?


#2

This is correct.

CloudFlare acts as a proxy when the record is set to :orange: A lookup will show two CloudFlare IPs that hide your origin IP address.


#3

OK I understand that.

But when I activate the Cloudflare button for my A records I immediately get Cipher mismatch error and can not access the site. I contacted the issuer of my SSL (GoDaddy ) and they said I need to update my DNS to point to the proper host.

I’m not sure what to do now because I need the Cloudflare plugin to be active and MY SSL to be active.

UNDER CRYPTO should I turn the SSL off? or can Cloudflare NOT hide my IP ?


#4

What’s your current Crypto setting? And the status? I’m guessing your setting is Full (Strict) and the Status is Pending.

Here’s a guide on how Cloudflare’s SSL settings work:


#5

My DNS Records


#6

Wow, that looks good. And has been for the past 3 years.

You can test out SSL by going to the DNS tab here and :grey: that entry. Then visit your site and view the certificate. It should show a functional certificate that’s on your server. Chrome’s Dev Tools (Security tab) is good for this.

There’s still the off chance that your certificate at Cloudflare is broken. If the :grey: approach above shows a valid certificate on your server, then :orange: it again and use Chrome Dev Tools to check the one here.


#7

When I activate the A record from :grey: to :orange: I get this…

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

here are the details for my SSL Certificate issued by Godaddy

If I can not get the A record to resolve as the proper IP ( 160.153.137.153 ) i will keep getting this error


#8

I have an unusual situation with this account. If CloudFlare is not installed on this site my clients in Italy CAN NOT see the site. They get an ERR_CONNECTION_TIMED_OUT error. EVERYONE else in the world can see it but not them. They insist that the site is blocked out all over Italy so we re-activated this Cloudflare plugin 10 days ago and connected it back to this account and everything worked fine.

Friday a mistake was made and the nameservers in this Cloudflare account were changed at the domain host by mistake and the site shut down. When the name-server were reset the ERR_SSL_VERSION_OR_CIPHER_MISMATCH appeared.

I went in and turned the :orange: to :grey: and the site came back up everywhere in the world again… except Italy :frowning:

This is where I am at, No cloudflare - client can’t see the site. cloudflare active - no one can see the site.

This all worked 2 days ago so I am confused as to why it won’t work now with the same settings.
None of the SSL settings have been touched.


#9

If I changed the SSL from FULL to OFF would that help with the CIPHER_MISMATCH?

I would like to be sure before I change any settings.


#10

If you turn it to Off, then Cloudflare will only serve HTTP. Keep in mind that Cloudflare is a Reverse Proxy. It’s like having your data getting a Bus Transfer. With Off, data takes the HTTPS bus from your server to Cloudflare, then transferring to another HTTP bus from Cloudflare to the visitor. With Flexible, the busses are HTTP, then HTTPS. With Full, both busses are HTTPS. You can’t take the first HTTPS bus all the way from your server to your customers through Cloudflare.

Anyhow, since you’re back to :grey:, I can’t see what’s going on with the Cloudflare certificate. Next time you switch to :orange:, post back and/or check https://www.ssllabs.com/ssltest/analyze.html?d=yogainsalento.com

You’ll probably have to click on their Clear Cache to re-run the test.


#11

I switched the A records back to :orange:

I ran the test as well, did you want me to post all the results here?


#12

That totally looks broken. Open a Support Ticket.

iretina:~ scott$ curl -v https://yogainsalento.com/
*   Trying 104.28.31.123...
* TCP_NODELAY set
* Connected to yogainsalento.com (104.28.31.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

#13

I already did that

support.cloudflare.com/hc/requests/1497663

They sent back a form email marking it as resolved.

I’m totally lost. No idea what to do next…


#14

One of the mods (@cscharff or @Ryan) will probably check in and re-open it.


#15

Should I send another support email? I haven’t heard anything back yet :frowning:


#16

See if you can re-open that ticket. What was their reply on that ticket?

Earlier, you asked about setting it to OFF. At this point, that might be a good idea to turn it OFF, then wait for a while, Then :orange: that domain and set SSL back to Full (Strict). That might re-issue the certificate.


#17

OK great, I just resubmitted the ticket again.

I appreciate the suggestion but I wonder if it might be best to wait and see what tech support says?


#18

Hi @jimmy2, it appears the account you emailed in on isn’t the same account your domain is registered with at Cloudflare which is why the original request was auto-closed. I’d recommend either opening a new ticket with the email associated with your account or use the submit a request link while logged into your account at the bottom of a page like this one: https://support.cloudflare.com/hc/en-us/articles/200170616-Why-am-I-getting-a-SSL-mismatch-error-


#19

I resubmitted a ticket with the proper email later in the day on Saturday and again this morning.

followed your link and just submitted the ticket again,

Thanks!


#20

Everything working properly now!

Thanks to everyone for your help.