SSL problem on CloudFlare hosted subdomain

Aar

Aar

Verified User
Joined
Feb 10, 2005
Messages
209
Location
Netherlands
This week I noticed that the subdomains are giving problems. It concerns subdomains with www. (for example this fictional domain: https://www.subdomain.domain.nl)
It concerns the error: SSL_ERROR_NO_CYPHER_OVERLAP

This error can only be seen on subdomains that use www. and that are handled by Cloudflare.
The subdomains such as https://subdomain.domain.nl do work fine. And the're also handled by CloudFlare.

I also saw this error in DirectAdmin:
Code: 
Error: http://www.subdomain.domain.nl/.well-known/acme-challenge/letsencrypt_15867***** is not reachable. Aborting the script.
dig output for www.subdomain.domain.nl:
2606: 4700: 3036 :: ****: ****
2606: 4700: 3035 :: ****: ****
Please make sure /.well-known alias is setup in WWW server.
<br>

Has anyone an idea whats going on?
Tomorrow i will check it out on the server, but i'm curious whats happening, and where i can find the solution?
In DirectAdmin or CloudFlare?

And what is the recommendation for websites whose SSL was handled first by Lets Encrypt in DirectAdmin and later byCloudFlare?
Is it better to disable SSL for that domain in DirectAdmin?
 
1) Can you confirm that the www subdomains and the main domains are resolving and resolving to the same server?

Code: 
dig a +short www.domain.tld
dig a +short domain.tld

2) If they resolve to the same server: https://help.directadmin.com/item.php?id=646

3) As for recommendations, try to configure so that you are using Full/Full (Strict) Mode, whether you use a Let's Encrypt SSL on an Origin SSL that can be provided from Cloudflare for installation on the source server. Using Full/Full (Strict) Mode will not only secure communications between the user's browser and Cloudflare (the CF SSL), but it will also secure communications between Cloudflare and the server (the Origin SSL or Let's Encrypt SSL). There are pros and cons of each choice, though I prefer to use Let's Encrypt for one major reason: It is trusted by all browsers whereas Cloudflare's Origin SSL is only trusted by them and will display an error and not load your site if you ever disable Cloudflare (let's say, for testing purposes or whatever).
More recommendations can be made depending on your purpose behind using Cloudflare. Are you trying to hide your server IP? If so, use a remote mailserver because the IP can be obtained via
Code: 
dig a +short $(dig mx +short domain.tld)
and remove any common subdomains that point directly to your server, such as 'host', 'ftp', etc.
Note that when using Cloudflare, DA won't be able to automatically add A records for your subdomains to your DNS zone files when you create a new subdomain, since your DNS zone file will now be at Cloudflare. So, anytime you create a new subdomain, you'll have to manually add that subdomain's record to Cloudflare.
 
Thanks @scriptkitty .
All of the subdomains (non-ww and www) are resolving (with a tracert) to the CloudFlare server.
I have a wildcard for my A record in the CloudFlare DNS configuration, and i use the FULL encryption mode on CloudFlare.

Is there something I need to set up at CloudFlare to solve this problem?
At this moment i have a mail from Lets Encrypt about the expiration about the domain and all of this subdomains:
Code: 
labs.domain.tld
tools.domain.tld
domain.tld
www.labs.domain.tld
www.tools.domain.tld
www.domain.tld

What is the best solution?
 
Last edited:
I’d start with point #2 to make sure the well-known/acme-challenge/ directories are accessible for www subdomains and then go from there.
 
I see this in the httpd-alias.conf file:
Code: 
Alias /.well-known "/var/www/html/.well-known/"

I see with putty the .acme-challenge directory. Other sites seems has access to this directory, but not the site of domain.tld.
At this moment i have troubleshouted that a .htaccess in blocking the access to /.well-known.

I have this:
Code: 
RewriteBase /
### Strip fbclid crap
RewriteCond %{QUERY_STRING} "fbclid=" [NC]
RewriteRule (.*) /$1? [R=301,L]

# Forward everery request to a file to index.php
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA]
 
Last edited:
Let's encrypt only can work in same server. If you point to Proxy Cloudflare, you doesn't need Let's encrypt and just use ssl from cloudflare.
 
www.beta.domain.tld has an AAAA (IPv6) record (2606:4700:3036::xxxx:xxxx) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Click to expand...
@scriptkitty
I think that Let's Encrypts is looking for the validation-file on the IP-adress of the server? In the case of CF, on this ip is offcourse no validation file on /.well-known/acme-challenge?

Best idea is turn off Lets Encrypt for this domain in DirectAdmin?
But why breaks the certificate on www-subdomain certificates?
And why us DA not extend the certificates of every hosts in my domain.tld?
 
Previous week i have turned the 'Force SSL' off, and it works to solve the Lets Encrypt error in the Messagebox. Now i have forced SSL in CloudFlare, and we will see.
 
You must log in or register to reply here.
Back
Top