Thats litterally it, trt accessing battleoftheforces (dot) net, not a cloudflare error page, something not right between cloudflares SSL stuff. DNS page says “This hostname is not covered by a certificate” for @ (dot) battleoftheforces (.) net.
There seem to be a few SSL issues on your server and on Cloudflare. The server ones should be fixed first.
Can you pause Cloudflare and verify that your site loads fine on HTTPS?
SSL options is set to flexible, site worked fine, I forgot to renew ans domain expired, I re-registered it on Feb 12th and nothing has worked since (DNS or other setting were not cleared), I can still access the server over http (doesn’t have https yet)
I am getting an error trying to connect to cloudflares servers, not to origin, and SSL setting are set to Flexible
That’s the issue, it needs to be Full Strict. As mentioned, pause Cloudflare and first fix the server issue.
Nothing “needs” to be Full strict, these are not production servers and even in test, nothing sensitive is getting out (its primarily used for configuration updates, I am not here to discuss best practices but here to try to get up and running. That being said I am getting errors connecting to cloudflares proxies with the error “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” error. If it was an SSL error between cloudflare and the origin server a 525 error page would have been returned. More info on 525 here: Troubleshooting Cloudflare 5XX errors · Cloudflare Support docs
Yes, it needs to be Full Strict, as you otherwise have encryption disabled and run into exactly these issues. If you do not want SSL, set it to Off.
I am surprised you are arguing here, as you came here for advice, but now refuse to take it.
1 Like
Full Strict is an option, not a requirement. Even if I do setup HTTPS and use strict certificates this error will not get resolved since there is an SSL error from cloudflares edge servers to the client would not get resolved.
As I already wrote, Full Strict actually is a requirement, otherwise you have no encryption.
And as I also already wrote, there are several issues and the server issue should be fixed first.
I really already addressed everything in the first reply already → Whenever I try connect, get SSL errors to cloudflares servers - #3 by sandro
Simply follow the steps and we can fix it one by one.
1 Like
The error I see disagrees with that:
While you are right that there might be additional problems, it’s really a waste of time to look into these until you changed your SSL setting to Full-Strict. Using Flexible is by far the most common cause for the error I see here.
Downloading and installing the Origin Certificate shouldn’t take you more than 2-3 minutes, so I’m curious why you would rather argue for days rather then quickly fix the obvious issue.
3 Likes
Since the last disputes, I completely disabled HTTPS everything on that domain, so its only reachable only HTTP atm, I tried on another domain (with another account) and a HTTP (port 80, without port 443) worked fine. On a side note, the server is not always online, but I will keep it online for the sake of getting same results. Try accessing with https://battleoftheforces.net (notice the s in https) and see what happens.
I fixed the issue. Here are the steps I took…
In the Cloudflare Dashboard => SSL/TLS => Edge Certificates
- Make the domain reachable over plain HTTP
- Disable “Always Use HTTPS”
- Disable “Automatic HTTPS Rewrites”
- Disable the Universal Certificate
- Should be a button “Disable Universal SSL”
Now wait a few days until certificate gets revoked (didn’t work when I waited a few hours) then…
- Should be a button “Disable Universal SSL”
- Re-enable the Universal Certificate
- The button that you used to disable should be labeled as “Enable Universal SSL” now
- Refresh and now there should be a Pending Certificate, wait until it says “Active” (refreshing the page if you need to)
- After the Universal Certificate is Active try accessing the site over HTTPS
- If successful, re-enable the settings to use HTTPS when possible
- Enable “Always Use HTTPS”
- Enable “Automatic HTTPS Rewrites”
Even if I did this, the issue was HTTPS errors between Edge <==> Client because the Universal Edge Certificate was invalid and going Full Strict with an Origin Certificate would have not solved the issue; an Origin Certificate is only used between Origin <==> Edge and not Edge <==> Client. Therefor, Cloudflare would still be able to pull info from the Origin, but still would still fail to show resources on client
Everyone here knew how to fix the issue with the universal certificate, it happens all the time.
It’s just that no one wants to help you lie to your site’s visitors, especially when a fix is easily available in 2-3 minutes.
Yes, we hear “it’s just a development environment, no sensitive data bla bla bla” all the time. If you don’t want SSL, “Off” is a great setting.
There is just absolutely no reason to not take the 2 minutes to download and install a certificate, other then wanting to prove to everyone how you know better than them.
It’s really up to you now to decide whether it was worth wasting your time by looking for the “solution” yourself rather than just installing a certificate and being done after 5 minutes total, which is when someone would have told you about re-enabling Universal SSL.
1 Like
So you would instead not tell me how to solve an issue because you are unhappy with how things are set up? It’s not your decision to tell others how to set up their systems. You can advise them and say you should probably turn on Full Strict but don’t gatekeep the solution. Yes, I get that Full Scrict is recommended and encrypts traffic from Origin to Client; all my domains running in prod use Full Strict; that was never a problem. In a Dev environment where HTTP serves only to provide static common resources, it is an opinion rather than a fact. The client program I am working on expects HTTPS. What’s easier than setting SSL settings to allow HTTP from the origin or rewriting a lot of code? I get it if the origin had potentially sensitive data, such as phone #, emails, or anything similar. Yeah, you’d better rewrite a part of the client, but then some random person on the internet thinks he knows the program(s) you work on better than you do and decides they call the shots.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.