Can't get Wordpress to work with Let's Encrypt

Every few months I try to get this to work and then give up after a day of messing around with it. So I tried again today. I added a Let’s Encrypt certificate to my shared hosting website using the installation icon in cpanel. I tested that it was working through a couple of ssl checker sites and it passes. I put cloudflare in development mode so it doesn’t add extra problems. I then changed the Wordpress Address and Site Address in Wordpress from http to https. I then tried to access the website via https and I get the following message:

This site can’t provide a secure connection

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported prototcol
The client and server don’t support a common SSL protocol version or cipher suite.

I am also locked out of wordpress and have to go into phpadmin and change the addresses back to http. What step am I missing?

Hi,

If you are using cloudflare as your cdn provider, you won’t need to use any certificate other than Cloudflare for visitors to view your site. (As universal SSL is enabled by default)

Also, can you please share your domain name so we can take a look at what’s happened?

Thank you

The problem with Cloudflare is that it does not encrypt from the hosting company’s server to Cloudflare, only from Cloudflare to the user, so that is why I installed lets’s encrypt. After I get let’s encrypt working, I will enable Full Strict SSL on Cloudflare so I am encrypted end to end.

The website is:

www.roadramblersmc.com

DONT GIVE UP! GIVE INFO!

You’ll need to re-enable SSL on your server to troubleshoot.

Use a 3rd party evaluation tool to analyse the configuration.
Eg: https://www.ssllabs.com/ssltest/analyze.html?d=www.roadramblersmc.com
(the error output is the key to resolution)

ERR_SSL_VERSION_OR_CIPHER_MISMATCH : Although a “pain”, is not uncommon. This can be resolved.

Kinsta’s KB has info that could help you troubleshoot an may be useful for you.

Understand SSL and TLS Deployment and apply “Best Practices” to your configuraton.

4 Likes

Hi,

When you signed up to Cloudflare, you should have enabled Universal SSL by default.

However, when you signed up Cloud flare via third party (in this case is your hosting provider) & use CNAME (Add record to cname your domain to "yourdomain.tld.cdn.cloudflare.net") instead of DNS (change your domain settings to use Cloudflare's server than your original server), you need to contact your hosting provider(not Cloudflare) to enable the feature (SSL)

https://support.cloudflare.com/hc/en-us/articles/200170566-Why-isn-t-SSL-working-for-my-site-

You've signed up through a hosting provider and are at the free level of service

As of July 18 2016 Universal SSL is available to Free plan customers who have signed up with a hosting partner. Please contact your hosting partner to submit a request to have Universal SSL activated. If your hosting partner does not yet offer this feature, share this link with them : How do I enable Universal SSL for my customers?

Thank you.

@pjc123

Sorry, the previous version is consist of typo and grammar mistakes.
Fixed.

@RIP. I turned SSL back on. SSL labs issues an “A” grade for roadramblersmc.com, but fails when trying to connect to www.roadramblersmc.com (With the www). I went through the troubleshooting document but didn’t see anything wrong there.

@stevenzhu. Hum, not sure what all that means, as I am no web person, just have a couple of personal websites. Maybe putting Cloudflare into development mode was not enough to disable it. I am going to have to dig around some more.

Let's Encrypt doesn't provide a big benefit in this configuration compared to using CloudFlare's origin CA.

You can get a free certificate for your origin server that only CloudFlare will accept and that's valid for years. The only advantage of using Let's Encrypt in this scenario is that you'd be better-prepared in advance in case you want to switch away from CloudFlare in the future.

@schoen. My website is on a server owned by a hosting company, so I do not have access to install the necessary files for Apache.

Hi,

You can Query SSL on your root domain because the root domain IS NOT using Cloudflare.
However, your www domain is using Cloudflare's service and under partial DNS integrations, in this case, you'll need to contact your hosting provider, stablehost.com, request "enable Universal SSL support" (for Cloudflare).

Cloudflare's Universal SSL was issued under Comodo ECC CA, however on your crt.sh, there are no certificates issued under Comodo. (Which means Universal SSL is not enabled, that's why you can't visit your site via https)

References:
https://support.cloudflare.com/hc/en-us/articles/222612707-How-do-partners-enable-SSL-for-partial-and-full-DNS-integrations-

For Partial (CNAME) setup, due to new guidelines by the issuing CA, issuing the certificate requires that you place CNAME records for SSL verification under your authoritative DNS provider. These CNAME records can be obtained by running this Cloudflare API call (instructions). Please note, that the domains that are affected are those that were added or required to be renewed after July 20, 2017.

https://support.cloudflare.com/hc/en-us/articles/200170566-Why-isn-t-SSL-working-for-my-site-

You've signed up through a hosting provider and are at the free level of service:
As of July 18 2016 Universal SSL is available to Free plan customers who have signed up with a hosting partner. Please contact your hosting partner to submit a request to have Universal SSL activated. If your hosting partner does not yet offer this feature, share this link with them : How do I enable Universal SSL for my customers?

This is for Hosting Provider:
https://support.cloudflare.com/hc/en-us/articles/115000844251-How-do-I-obtain-an-SSL-certificate-for-customers-on-partial-CNAME-setup-

If your customers' domains were added on partial (CNAME) setup after July 20, 2017, you will need to use the following API call to obtain CNAME record/s for SSL to be issued successfully and placed under your authoritative DNS.

Thank you.

Is the hosting company providing integration with Let's Encrypt, but not allowing you to import other certificates that you obtain from outside sources?

Hi,

@schoen, Can you please advice him to pay attention to my replies…

He just needs to ask his hosting provider to enable Universal SSL for his Cloudflare Website… (I don’t know why you guys are so focused on his Website SSL as he has already issued SSL cert and it’s working)

Thank you.

In my case, because I sometime forget the context of people's questions and only look at the last thing they've said or asked, because I participate in so many forum threads. :slight_smile:

@pjc123, apparently @stevenzhu has already proposed a solution to your specific problem here.

SOLVED (02-08-2018): Thanks to @Rip for providing the ssllabs link. It led me in the right direction. After bringing up the issue of my certificate not showing up with the full domain name, in a post in the Cloudflare forum, a user realized right away that one of my DNS entries was not correct. I now have Let’s Encrypt providing a secure green padlock on my site using Strict SSL on the Cloudflare side. I knew all those tutorials couldn’t be wrong!

@schoen. By the way I did come across instructions on how to add the Cloudflare Origin CA from within cpanel, like you said, instead of having to go into the file system. I t is another way to go, with the advantage of less overhead.

@stevenzhu. Universal SSL has always been active on Cloudflare, so that was never an issue.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.