estgd
CDCloudflare Developers
•Created by estgd on 11/13/2024 in #general-help
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Hello I am currently trying to resolve ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors and hoping someone has some ideas on how to help.
Our application has different environments based on the subdomain off our main domain and this is a SAAS application so each customer has their own subdomain of that domain/subdomain.
So if for example we use "a.com" as the domain root, our users on the Production environment are under "a-customer.a.com" and users on our other environment would use "b-customer.b.a.com", "c-customer.c.a.com", etc.
Everything routes through Cloudflare and right now all non-production environments are getting this error. Up until recently, it was just a single environment getting this error, than suddenly this week all non-prod environments are getting this error and we can't figure out why.
In Cloudflare, we have Universal SSL enabled. The Encryption Mode is in Full (strict) mode. TLS 1.2 is the minimum version and TLS 1.3 is enabled but not required.
We are using the Advanced Certificate Manager to have both Advanced and Total TLS certificates to cover different subdomains (one subdomain is using Advanced / manual and the reset are using Total TLS). All the Edge certificates are currently Active and not expired and are covering the domain/subdomains and are wildcarded. So we have certs for * .a.com, * .b.a.com, * .c.a.com, etc.
We are using AWS EC2 load balancers (one per environment) and were previously using the Origin Certificates from Cloudflare on the load balancers. These certs mirror the Edge certs in what they cover and are active. We did try and manually generate certs on AWS and put those certs on the AWS load balancers but that hasn't resolved the issue.
We were previously using the default TLS ciphers in Cloudflare but now used the API to manually set them to the exact ciphers that AWS is using, that hasn't worked either.
3 replies
CDCloudflare Developers
•Created by estgd on 9/24/2024 in #general-help
Any way to opt a subdomain back in to Total TLS
I have Total TLS enabled on my account and had one of the subdomains get stuck validating for a while. I then deleted the cert and DNS record and re-added the DNS record, assuming it would attempt to make a cert using the Total TLS again. I wasn't aware of the warning about assumed opt-out in https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/. The guide doesn't provide any means of opting back in. Is there a way of doing so? Perhaps by updating something via one of their APIs?
3 replies