Hello I have an issue setting up
Hello I have an issue setting up Cloudflare pages, my setup is as follow:
I have two Cloudflare accounts, (account A) holds the pages deployment, and (account B) has my domain (DNS records).
I have also
cross-account setup, such that adding custom domain in pages on account A, will auto add DNS record in account B. everything goes smoothly, when I access my website from pages deployment URL, but when I access from custom domain URL, I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I have been struggling for many days, any help is much appreciated9 Replies
Sorry for the tag, @Chaika I see you have been helping many others with the same issue. please have a look at your convenience. 🙏🏻
- pages URL (working): https://forest-landing.pages.dev
- custom domain (not working): https://forest.chainsafe.io/
ERR_SSL_VERSION_OR_CIPHER_MISMATCH means there's no ssl cert issued
Check over https://developers.cloudflare.com/pages/configuration/debugging-pages/#missing-caa-records
Specifically the CAA part
;; ANSWER SECTION: chainsafe.io. 300 IN CAA 0 issue "comodoca.com" chainsafe.io. 300 IN CAA 0 issue "digicert.com" chainsafe.io. 300 IN CAA 0 issue "letsencrypt.org" chainsafe.io. 300 IN CAA 0 issuewild "amazon.com" chainsafe.io. 300 IN CAA 0 issuewild "amazonaws.com" chainsafe.io. 300 IN CAA 0 issuewild "amazontrust.com" chainsafe.io. 300 IN CAA 0 issuewild "awstrust.com" chainsafe.io. 300 IN CAA 0 issuewild "comodoca.com" chainsafe.io. 300 IN CAA 0 issuewild "digicert.com" chainsafe.io. 300 IN CAA 0 issuewild "letsencrypt.org"You're missing pki.goog
Debugging Pages · Cloudflare Pages docs
When setting up your Pages project, you may encounter various errors that prevent you from successfully deploying your site. This guide gives an …
Awesome, thanks for the quick check, I will add the CAA and see.
@Chaika a quick question please, should I add all 8 CAA records for my subdomain
forest.chainsafe.io? or just adding the missing pki.goog for the root domain chainsafe.io is enough?You've already got all of the other ones as far asI can see. Pages itself only uses Let's Encrypt or GTS/pki.goog
oh you mean specifically for that subdomain, CAA works recursively, since there's nothing on forest it uses the ones on chainsafe.io
So you can just add pki.goog to root. I would then wait a few mins and readd the custom domain and see
ok got it, I will add below two missing CAAs for root domain, and expect the custom domain
forest.chainsafe.io gets SSL cert.
1. CAA chainsafe.io issue pki.goog
2. CAA chainsafe.io issuewild pki.googYou don't need the issuewild but it won't hurt. I would also remove and readd the pages Custom domain the Pages Custom Domain tab, otherwise, if it's been more then 7 days it's already given up, even if it hasn't been it's still way slower as it exponentially falls off in retry intervals overtime: https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/backoff-schedule/
Removing, readding, would reset that
Backoff schedule | Hostname validation · Cloudflare for Platforms d...
After you create a custom hostname, Cloudflare has to validate that hostname.
one last question, how do I define this value
cansignhttpexchanges=yes as I see in the dig output of CAAs? or it is will be add automatically?don't need it for Pages. Some DNS Providers may not support it with their editors
you are awesome 🙏🏻 , the pages custom domain is up
https://forest.chainsafe.io/