44 Replies
does not happen for workers, only for pages CNAMEs, and according to the cert manager it should be covered
If you visit the domain, does it show a cert?
browser can't load it from the domain
and https://tangialeaderboardfrontend.pages.dev/ shows
Failed to load resource: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH in the console
@HardAtWork so the pages hosting directly seems to be having issues..That one loads fine for me
if you check the console it's not
I see that too
oh well it's trying to get from the domain lol yeah
htmx.js:3080 GET https://leaderboard-frontend.cf.tangia.co/root net::ERR_SSL_VERSION_OR_CIPHER_MISMATCHOh
How old is the custom domain?
8 days
Did it work before?
I don't think I ever checked tbh
fixing something someone who is offline in germany made and is now away for the weekend lol
Try deleting the custom domain and then re-adding it
ok
@HardAtWork immediately shows it again
Give it a minute
@HardAtWork still the same :/
Hm…
Some more context, we have cf.tangia.co on cloudfalre, not tangia.co
don't think that's an issue as it's clearly not for workers, but some context
we do have a pages site that isn't using the cloudflare DNS that works fine
but anything using the cf subdomain is having issues
could it be because it's proxied?
the error goes away in the dashboard but it's still showing SSL issues on the browser when I turn proxy off
Might be ACM just broke and got stuck…
I just tried recreating it again without proxying, no luck
google dig is pulling a records too...
that shouldn't happen when it's not being proxied IIUC
And it keeps renewing them? @HardAtWork does that sound right?
happens with proxying or just DNS
if I go to add a new one it doesn't even recognize that CF has it like workers does
Think it only tries once
I tried with another subdomain too, still an issue
I don't think there are any CAA records either that would prevent this, because our workers are fine
It might be related, not 100% sure, but if I recall correctly Pages likes to use GTS sometimes, and you're missing the caa for it
;; ANSWER SECTION:
tangia.co. 60 IN CAA 0 issue "amazon.com"
tangia.co. 60 IN CAA 0 issue "amazonaws.com"
tangia.co. 60 IN CAA 0 issue "amazontrust.com"
tangia.co. 60 IN CAA 0 issue "awstrust.com"
tangia.co. 60 IN CAA 0 issue "globalsign.com"
tangia.co. 60 IN CAA 0 issue "letsencrypt.org"
Debugging Pages · Cloudflare Pages docs
When setting up your Pages project, you may encounter various errors that prevent you from successfully deploying your site. This guide gives an …
Huh… so maybe those records were made after the workers cert was provisioned?
The workers cert was a Let's encrypt one, which is allowed
Oh lol
Pages may have simply just picked to use GTS and hit a wall
What is gts?
Google Trust Services
Google's own CA
Ah ok
That’s probably it, let me add them real quick
The ones that Cloudflare ones are linked in the guide above under Missing CAA Records
You probably don't need digicert/comodoca (which is Sectigo iirc) or issuewild, but you might want to do them anyway just in case
yeah will do
ofc it was the one thing I thought it wasn't so i never checked
well assuming it is
according to pages one of the domains actually added just fine, even though the dns said it wasn't fine
just changed the CAA and added the records back in CF, still see the warning but hopefully that goes away soon. Makes sense that it would be the issue
tysm @chinam1
oops wrong ping
@chaika.me
looks like it loads now, and it was trying to issue a GTS cert
Your worker is throwing though https://leaderboard-frontend.cf.tangia.co/root
cool, and yeah that's expected, it's a twitch extension so it tries to load something in the window
the twitch sdk and such
tysm again!!!
no problem 
it still says that the cert is an issue on the CF dashboard, but browser seems to be fine