ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I have been banging my head against the wall for over 2 days now, installing a Origin certificate after my LetsEncrypt wouldn't renew cause it's under Cloudflare. Two days, I kept changing SSL, nothing, still get the same dumb issue. https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-20-04
I follow this tutorial, but following this leads to nothing but this error, but I am sure the tutorial is fine. For the life of me I cannot tell what the hell is going on anymore with this crap
How To Host a Website Using Cloudflare and Nginx on Ubuntu 20.04 |...
In this tutorial you will secure your website served by Nginx with an Origin CA certificate from Cloudflare and configure Nginx to use authenticated pull req…
37 Replies
My brain is melting as I write this
I did absolutely everything right
And yet not
I've got a site
That has nothing to do with this garbage
And I get the error still
That error involved with CF usually means it has no edge certificate to serve for that hostname. What's your site url?
I've no idea what an edge certificate even is
Here is the url with nginx configured https://vendor.iptvbp.com/
it's what Cloudflare calls ssl certificates that it uses/presents to the visitor
visitor -> cf edge cert -> cloudflare -> origin cert/ssl -> origin
I dont know why it wouldnt be in the tutorial, or most other tutorials
I have not seen an edge certificate mentioned at all
usually issued by default with nothing manual unless you've changed something or broken something
I've not done anything but removed letsencrypt ssl from my nginx configuration, setup this (that was 2 days ago) didnt work, thought i'd wait, and now i try again and it still not working even after issuing a new one.
and anyway i do not understand why is my Vercel connected site being affected by any of this. That part I cannot figure out at all.
if you go to SSL/TLS -> Edge Certificates, do you see any listed under the "Edge Certificates" section?
If you go to the bottom of that page, you should see either "Disable Universal SSL" or "Enable Universal SSL.
Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates
Yes
If Proxy is enabled on the record (and it's not dns-only), it's going through Cloudflare's CDN/Proxy and thus Cloudflare needs a valid ssl certificate to use/serve
so you are saying without an edge certificate using origin is pointless and does not work?
for full security and encryption, you need both an edge and origin certificate. Edge is taken care of and renewed by Cloudflare
yes to what?
i see it, that's all, its enabled
you see a universal edge certificate, that is active/not pending?
i dont
no certificates
ok, and at the bottom of that page, do you see the part about "Enable/Disable Universal SSL"?
Yes
does it say enable, or disable?
Disable
if the button says "disable", disable it, wait a min or so, and then re-enable it, and give it a bit to issue the certs
at any rate why would this affect my proxied vercel deployment?
https://discord.com/channels/595317990191398933/1236461072299331666/1236464461464997949
visitor -> cf edge cert -> cloudflare -> origin cert/ssl -> origin
well, i dont have my deployment on there on the hosts for the certificate so i am wondering why
Vercel takes care of the origin ssl side automatically if that's what you're asking, doesn't change the bit about CF's side needing an edge certificate
Why did it work all this time then?
i didnt just set this up, ive been using this for months and months
i only now setup origin CA for my nginx server
oh it looks like you delegated _acme-challenge to Vercel? That would break it and stop CF from renewing the ssl certs
well thats interesting
i guess a year must have passed
i think thats required
not sure
shouldn't be, they document they support HTTP challenges and not just DNS, and even document Cloudflare support here: https://vercel.com/docs/integrations/external-platforms/cloudflare
Vercel and Cloudflare Integration
Integrate your Vercel project with your Cloudflare domain.
i guess as long as it says pending validation for the certificate it's not active?
right, and it won't work until you delete those _acme-challenge nameserver records
alright
i guess this is all a great coincidence then. a year must have passed since i setup cloudflare and vercel together, and the server letsencrypt expired at the same time as well and couldnt renew
too hard to grasp
well you don't need to worry about the origin-side if you can just hook up Cloudflare's origin certs there
ive just deleted those acme records
well thats what im doing i could not renew letsencrypt so i looked up this origin stuff
nice, I can see the _acme-challenge txts Cloudflare is making for the universal now, just give it a bit and it should retry and succeed
okay, thank you.
certs issued now and that error is gone, vendor subdomain still gives a 502 / bad gateway though. Either from your origin, or if you're using Cloudflare Tunnels, Tunnels can give that
All is well now, by the looks of it, thank you!