Www subdomain inaccessible over SSL. No Edge certificate listed for active domain

Answer these questions to help the Community help you with Security questions.

What is the domain name?
odysseus-unbound.org

Have you searched for an answer?
yes

Please share your search results url:

When you tested your domain, what were the results?
Subdomain www.odysseus-unbound.org returns an ERR_SSL_VERSION_OR_CYPHER_MISMATCH in Chrome.
sssltest on ssllabs.com returns TLS error “cannot contact server” on subdomain www.odysseus-unbound.org. root domain is OK and is accessible over SSL.

Describe the issue you are having:
See above

What error message or number are you receiving?
See above

What steps have you taken to resolve the issue?

  1. Paused Cloudflare on the domain
  2. Checked Edge Certificate. None is listed when I would expect to see a free Universal certificate.
  3. Set SSL to Full rather than Full Strict

Was the site working with SSL prior to adding it to Cloudflare?
Yes. Site has been active on Cloudflare for five years. Issue arisen in last week or so.
Origin host is Siteground.

What are the steps to reproduce the error:

  1. Try to browse to www.odysseus-unbound.org (currently works as site is paused).

Have you tried from another browser and/or incognito mode?
Yes. same issue in Incognito.

Please attach a screenshot of the error:

Possible solution: looks like a Universal Certificate needs to be issued as perhaps renewal has failed??

Hi there,

Sorry for the issues you are facing.

If I can recommend that browse to ‘SSL/TLS’ tab on our dashboard and under ‘Edge Certificates’ at the bottom of the page, disable and re-enable Universal SSL.

This will start a new order for a Universal SSL certificate and hopefully get a certificate in place at our edge.

Your possible solution is the most likely cause here.

Let us know if you have any difficulties after this.

I see you are using a third-party set of nameservers as your authoritative DNS provider and not Cloudflare, in order to keep your SSL certificates renewing seamlessly I would recommend looking into configuring Delegated DCV - Delegated DCV — Domain Control Validation — SSL/TLS · Cloudflare SSL/TLS docs - this will ensure when you are ordering/renewing any certificates validation is completed by Cloudflare without you needing to do anything on your nameservers.

Hope this helps!

Thanks Damian

Two certificates are now pending https validation, for odysseus-unbound.org and www.odysseus-unbound.org.

But looking at the documentation, it seems this method wants an entry in odysseus-unbound.org/.well-known/pki-validation but that folder is absent on my host (Siteground).

Can I use TXT validation - and if so, how can I change the validation method when I only have access to the dashboard and not the API?

Cheers Julian

If you have two certificate orders for the root/apex and the www subdomain, your zone is likely on a partial/CNAME setup which means you are not using Cloudflare as your DNS provider.

In this case by default HTTP Validation is used to issue the certificates. You would need to ensure our proxy is enabled on your ‘www’ subdomain in order for the HTTP validation URL to be added by Cloudflare, so the certificate order process can complete.

If you want to change the validation method from HTTP to TXT record, that is possible, but it needs to be done via the API, as defined here - Cloudflare API Documentation

A partial/CNAME setup means that there is a limitation that Cloudflare cannot protect the root/apex domain ( odysseus-unbound.org ), unless your DNS provier supports CNAME Flattening for you to configure a CNAME record at the root/apex, this is discussed here - Partial (CNAME) setup · Cloudflare DNS docs - if your DNS provider does not support CNAME Flattening, then you would only be able to proxy subdomains through Cloudflare.

My recommendation would be to deactivate Cloudflare using the partial setup and move over to Cloudflare as your authoritative DNS provider - this allows Cloudflare to protect the root/apex as well as subdomains, but this is only my thought, you may have a preference or need to keep your nameservers where they are.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.