MISMATCH, OVERLAP, a common SSL problem when you setup Cloudflare on your site
What a trouble was that! I hope this post may help some of you desperate guys! I had to setup my site with Cloudflare and then revert everything because it wouldn’t work, until I literally guessed the solution to my problem and re-applied Cloudflare!
This SSL MISMATCH / OVERLAP problem occurred after I setup Cloudflare from PLESK, where I had been already using a Let’s Encrypt SSL Certificate.
Most probably you will face the same problem if you setup Cloudflare in any type of a Control Panel offered by your hosting service, provided you are also using your own SSL certificate.
After I activated Cloudflare for my domain, PLESK gave me this notice: “WWW prefix was changed. Be sure to modify the SSL/TLS certificate accordingly.” If I had paid attention to this notice perhaps I would have avoided the trouble. But it’s a vague notice, without any hint of instruction on what to do.
When DNS propagated, my site wouldn’t open and browsers issued warnings like these:
“Can’t connect securely to this page. This might be because the site uses outdated or unsafe TLS security settings”, “uses an unsupported protocol”, “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”, “Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP”, etc.
Wow! Frightening stuff! Searching the internet did not help. Consulting the support team of my Hosting Provider was just a waste of time. Trying to find some answer in the knowledge base of Cloudflare, useless…
Then I recalled that inside Plesk, at the panel of “Let’s Encrypt” where I issued my SSL certificate, there was an option for www to be included in the certificate. Is it possible that the notice of Plesk to “modify the SSL/TLS certificate accordingly” referred to this?
I saw that this option was already checked, as it should, but then I thought that the certificate may contain DNS entries, which are now changed to reflect Cloudflare! Thus I made the magical move: I renewed my certificate! After 10 minutes or so my certificate was automatically approved by Cloudflare and my site was alive and running!
Therefore, after you setup the Cloudflare extension in your Control Panel, don’t forget to renew your SSL Certificate.
And (irrelevant, but you should know that too), if you have Plesk 301 redirects of all http traffic to https, disable that and let Cloudflare do it to avoid this dreaded loop of infinite redirects.