SSL_ERROR_NO_CYPHER_OVERLAP
domain: bayon.et
i dont really have any other info other than the fact that i had some errors that said "failed to verify txt" in the edge certificate area
28 Replies
et is a really silly TLD which has CAA records at its root (they're bad, that's bad behavior)
;; QUESTION SECTION:
;et. IN CAA
;; ANSWER SECTION:
et. 0 IN CAA 0 issue "sectigo.com"
et. 0 IN CAA 0 issue "digicert.com "
et. 0 IN CAA 0 issuewild "sectigo.com"
et. 0 IN CAA 0 issuewild "digicert.com "
et. 0 IN CAA 0 issue "letsencrypt.org"
et. 0 IN CAA 0 issue "entrust.net"
et. 0 IN CAA 0 issue "gandi.net"
et. 0 IN CAA 0 issuewild "entrust.net"
et. 0 IN CAA 0 wildcard "sectigo.com"
I bet the Universal SSL is trying to issue a Google/GTS one, and it's failing? You'll need to create a CAA record forpki.goog on your root (@)How
@Chaika
navigate to your website in Cloudflare -> DNS -> Records, create this:
once you create one, CF should automatically create all of the others (virtually, you won't see them in your dashboard). and having ones set for your site override the ones set by your tld/.et
What's the status of the universal ssl cert under SSL/TLS -> Edge Certificates? If it's timed out, you'll need to disable Universal SSL, wait for a few minutes, and re-enable to have it try again
i assume if i have subdomains i also have to do this too?
no, it'll use the one on your root
roger ill lyk
although you could set ones in subdomains to override them, if you wanted to. Just like how you're creating these to override the ones on .et
alright thanks ill lyk if i have any more issues
doing this rn as it was "timed out"
It'd be nice if CF understood
.et is being silly and has those set and deployed those for you, hopefully one day. It's just not something they should be doing though.
I see your domain now has all the CAA records it needsyeah would be ideal, in all my time doing stuff like this ive never seen an cypther overlap error
and tbh the info online is kinda terrible
its also weird, it used to work just fine, so im curious how this happened
CF uses cypher overlap error primarily to signal that they don't have a certificate to serve for that request/make tls work
for that same et domain, with ssl? Perhaps it was done before .et decided to create those caa records? Not sure when they were added, been at least a few months though
3 weeks ago was when the issue started
same domain, certbot, same thing
i renewed my cert then it gave me the issue
so maybe because the certs were 2 and a half months old, they didnt require this weird CAA stuff?
It looks like nov of 2023 .et added the caa records
you still have an _acme-challenge txt record, is that from certbot?
i do?
not on my end
must be one of the ones from it automagically trying to issue then. You disabled and re-enabled? It looks like it's still struggling, maybe ratelimited by failures
yeah i disabled and just renabled it at :42
so just over 5 mins
still says "pending validation (txt)"
what's the issuer/authority its trying to use when you expand the cert?
no I mean in Cloudflare under ssl/tls -> edge certs
should be able to expand the one its trying to issue
google trust
well the caa records of .et would def have been blocking that before lol
i think its trying to do it now, as its now showing the txt records n stuff when i expand it
looks like it did it/issued properly
yep, cool thanks appreciate it, do you know if this will affect my emails btw ?
All Cloudflare does for mail is just DNS. ssl cert/etc doesn't matter, just make sure its unproxied. Which it looks like it is
yep okay cool
thanks g