Full strict ssl issues with cloudflare

hi all,

I was able to generate my certs earlier and they appear to be working as expected from within my LAN (where my web server is also located), but when I turn SSL to full strict in cloudflare and try to access my site outside of my LAN, it throws a 526 invalid certificate error. when I change SSL from full strict to full, it works without any errors.

is there a config issue in my virtual host?

I’m using apache 2.4:

   <VirtualHost *:80>
        Servername mysite.com
        DocumentRoot /path/to/site/public_html
        Redirect "/" "https://mysite.com/"
    </VirtualHost>
    <VirtualHost *:443>
        ServerAdmin root@localhost
        DocumentRoot /path/to/site/public_html
        ServerName mysite.com
        ServerAlias www.mysite.com
       <Directory /path/to/site/public_html>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        #SSL
            SSLEngine on
            SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
            SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem

       # Security Features
            SSLProtocol All -SSLv2 -SSLv3 -TLSv1
            SSLHonorCipherOrder On
            SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES

</VirtualHost>

any help is appreciated!

I’d recommend entering your site into https://www.ssllabs.com/ssltest/ and seeing what it shows.

@jsha, I just finished running it through. oddly enough, the site seems to load with full strict being turned on in cloudfare when I connect to the server from outside of my LAN. ssllabs.com also is giving it an A rating: https://www.ssllabs.com/ssltest/analyze.html?d=andrewshemo.com&hideResults=on

not quite sure what was going on before…possibly a quirk on their end. does my apache config look correct?

From the results on ssllabs it looks like that site is hitting the Cloudflare version of your site, not your origin. If it’s acceptable to you, I’d recommend briefly pointing DNS directly at your origin instead of at Cloudflare and re-running the test.

@jsha, I temporarily turned off cloudflare for my domain to run the ssllabs.com test directly against my server. here’s the results: https://www.ssllabs.com/ssltest/analyze.html?d=andrewshemo.com&hideResults=on

just to note, I don’t think this is an issue with let’s encrypt…probably more so with cloudflare and/or a misconfiguration in apache on my end. initially cloudflare was giving me a ‘526: invalid certificate’ error when I turned SSL from flexible to full strict. after turning it to full and then full strict a few hours later, my site was loading without any cloudflare errors.

I don’t know if this was a caching issue or what…

I’m facing the exact same issue as @andrewjs18. How did you manage to solve it?

I think I switched cloudflare from full strict to full until everything was running smoothly and then switched it back to full strict.

I see. Are you able to give your 2 cents on the issue I’m encountering? With your experience with this, I’m hoping you’re able to pick up the reason as to why. Here’s the issue: HELP! Let’s Encrypt and CloudFlare: Error 526 when using Full(Strict) SSL. (Ubuntu 16.04 & Apache)

Switching to “full” allows insecure connections and leaves the original problem unsolved.