Suddenly getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH
My website is a NextJS app hosted on Vercel, and now I'm suddenly getting a
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. This has only been happening for the past hour or so, despite having the site live for months. What is going on here?20 Replies
What's the url?
gamblo.ag
I did notice that the edge certificates vanished
That error is generic, but specifically in the context of Cloudflare, Cloudflare will respond with that if it doesn't have a valid edge certificate to use for it. Could be something else too like mitm
so I just disabled universal SSL and re-enabled it, now theyre back pending verif
Did you have Universal SSL disabled before?
nope
It looks like you delegated _acme-challenge to Vercel?
I only did that recently as an attempt to fix
Fix.. what?
the error
I delegated acme after error occured
I was assuming the issue was with Vercel, not Cloudflare
it was only after pausing cloudflare I realised the issue was cloudflare
oh ok, yea that might have caused a few issuance attempts to fail as well
you could keep it unproxied until CF issues the new universal certs
Well we're using the "under attack" mode right now as some guy called our /auth routes a bunch of times and racked up our costs
he was trying to find a way in
if I go unproxy, that leaves that door wide open
(he was using a script)
--
The edge certs are pending validation, how long do they typically take?
Also, I think I messed up the TXT records for the acme-challenge
Usually only a few minutes, but you definently broke the first few attempts with the delegation, and each time it fails it falls back for longer.
I would delete any you manually created
does CF create the acme-challenge TXT record automatically?
CF will take care of creating them automagically as they are your DNS, any you create to try to help it would just conflict
Okay tyvm, I will give this a few minutes and come back here to share the results, appreciate it ❤️
Nothing worse than dealing with things over a weekend or over the holiday periods
So once this is done, I shouldn't have to do anything ever again right? certs will auto-renew etc...
In a perfect world it would have already auto-renewed and not let it expire in the first place, so something messed, we'll see.
It looks like it is trying, I assume you deleted the acme-challenge txts you manually made?
;; ANSWER SECTION: _acme-challenge.gamblo.ag. 283 IN TXT "9jkYSwmQImwE8B7pYiW8WfDau7r2wZkwO_QxVW9hqLI" _acme-challenge.gamblo.ag. 283 IN TXT "Br2xLSdrhmUQQMCdDi2-SwcBdOYrkv9TtEcJ9tP65ME" _acme-challenge.gamblo.ag. 283 IN TXT "JVFaO4oZaG3Vbss1vaNQq_AjRfSHKBkxJ-QR7bkL3VE" _acme-challenge.gamblo.ag. 283 IN TXT "pujFH7Egvxvq7D2U2HOM5oOoWS2krgYjXsD1jOsvQI0"
yeah deleted
no dns record by the name of _acme-challenge exists now
Looks issued now
Yes, all good, we're back up and running. Thank you so much for your help ❤️