Need help, got error ERR SSL VERSION OR CIPHER MISMATCH when accessing my domain

Hello there, i really need some help right now because i dont know what to do anymore

Problem:
I got this ERR_SSL_VERSION_OR_CIPHER_MISMATCH error message on Google Chrome (Ver. 59.xxx) when accessing my site domain after using LetsEncrypt, but i still can access it through the IP address.

The first time im using LE, its work like a charm, then after several days i got that error message when accessing it, because theres somethin my people need on that site, i do a server reinstall and reuploading the backup (the backup is before im using LE), after a reinstall i can use the domain but without SSL / https.

This morning i tried to use LE again, and then after it successfully installed, i got the same error message. Any help please?

Im using Ubuntu Server 16.04.2 LTS and Apache2 as webserver and im using this command to install LE which is working for a few days before i got that error message:

sudo ./certbot-auto --apache --agree-tos --rsa-key-size 2048 --email xxx@gmail.com --redirect -d datacenter.dinkes.inhilkab.go.id

Thank you for any help :smiley:

I don’t think there’s any problem with Let’s Encrypt, Certbot or your web server. That website is using Cloudflare’s CDN. But Cloudflare isn’t enabling TLS, so it doesn’t work.

The --redirect argument makes Certbot configure your web server to redirect HTTP traffic to HTTPS. When it’s configured that way, Cloudflare’s (lack of) TLS support comes into play, and the website stops working.

If Certbot is run without --redirect, it will be useless, but harmless.

Following their default settings, Cloudflare has a certificate for *.inhilkab.go.id (and inhilkab.go.id). A wildcard only works for one level of subdomain. In other words, https://www.inhilkab.go.id/ would work, https://dinkes.inhilkab.go.id/ would work, and https://datacenter-dinkes.inhilkab.go.id/ or https://dinkes-datacenter.inhilkab.go.id/ would work, but Cloudflare doesn’t have a certificate for https://datacenter.dinkes.inhilkab.go.id/, and they won’t enable TLS (with an unacceptable certificate) for that site.

You can rename the website to something that would work.

You can disable Cloudflare’s CDN services for that subdomain (by clicking the orange cloud to make it a grey cloud). That will, of course, expose the server’s IP address and deprive it of the benefits of Cloudflare’s CDN.

You can pay Cloudflare $10 per month to use a Dedicated Certificate with Custom Hostname valid for everything you need. (Well, up to 50 names or wildcards, anyway.)

If you’re on a Cloudflare business or enterprise plan, you can upload a custom certificate, issued by Let’s Encrypt or another CA. (You would have to figure out how to renew it, though.)

Now thats make sense, maybe the easiest way is requesting domain name change, very much thank you for your answer sir, hope God reply your kindness, thank you again and have a nice day :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.