Err_ssl_version_or_cipher_mismatch

mbassiouny · September 13, 2025, 3:49pm

Hi There,

I am using v1.9.4 on a Debian 12 VPS.
I installed my WP website, enabled SSL and everything worked fine for about an hour.

Now all of a sudden my website stopped working and I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH (and rarely from time to time ERR_QUIC_PROTOCOL_ERROR)

Here are the steps I followed:

I created a new Hetsia account (non admin), added the domain, redirect the domain’s A record to my VPS’ IP on cloudflare.
I generated a new CF origin certificate, and inserted the certificate + key values in the first two fields in hestia under “use SSL”

Usually on my other servers I enter the SSL certificate Authority from Cloudflare origin CA · Cloudflare SSL/TLS docs in the third textarea, but when I did, I got an error**
”Error: SSL intermediate chain is not valid”**

so I followed the suggestions from [Bug] SSL is not installing · Issue #2712 · hestiacp/hestiacp · GitHub

Everything worked for a a couple of hours, then all of a sudden I started getting the
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error

Any suggestions? thanks

Jollip · September 13, 2025, 3:50pm

I am actually having the same error on ubuntu 24 but using let’s encrypt

sahsanu · September 13, 2025, 4:24pm

Hi @mbassiouny and @Jollip

Are you using the righ CA certificate (RSA or ECC) for the origin certificate you issued?

Jollip · September 13, 2025, 4:49pm

On my end I just clicked on “Enable SSL for this domain - Use let’s encrypt to obtain SSL certificate” like I always do, it’s just that all websites I did SSL certificate the next hour are down

Maybe it’s a widespread cloudflare issue or something like that happening at the moment

mbassiouny · September 13, 2025, 5:11pm

@jollip, did you make sure to follow the instructions from the doc? You should disable CF during let’s encrypt config, wait 5 mins, request the certs, then after it’s done enable CF proxy and set mode to Full (without strict)

@sahsanu I have used this config on many servers before and it worked fine, I am note sure what you mean?
As I mentioned in my post, I used origin certificates from CF, are there “right and wrong” certificates? There are only 2 certificates, either RSA or ECC that are available on CF.

I put a link to the instructions I followed, I faced the same bug so I followed the solution from this link

github.com/hestiacp/hestiacp

[Bug] SSL is not installing

opened 07:54PM - 01 Jul 22 UTC

closed 09:20AM - 19 Aug 22 UTC

RitZz48

bug

### Describe the bug https://user-images.githubusercontent.com/102799834/17…6957437-6c421323-f4ee-47e0-bdeb-3bdad24aaf06.mp4 Issue with CloudFlare SSL installation for the panel subdomain. Whenever I try to save it, it prints successful but doesn't save the SSL. as shown in the video above. ### Tell us how to replicate the bug Not sure, But since its occuring to me whenever I try to add Cloudflare SSL. I assume it'll be the same for you? ### Which components are affected by this bug? Control Panel Backend, Control Panel Installation or Upgrade, Control Panel Web Interface, Let's Encrypt SSL ### Hestia Control Panel Version 1.6.2 ### Operating system Ubuntu 20.04.4 LTS ### Log capture _No response_

sahsanu · September 13, 2025, 8:10pm

Yes, that’s the reason I’m asking. If you generated an Origin Certificate with RSA for your domain, you must use the Cloudflare Root CA RSA. If you generated an Origin Certificate with ECC for your domain, you must use the Cloudflare Root CA ECC.

Could both of you please show the output of these commands?
Note: Replace example.net with the actual domain name and 203.0.113.1 with the actual public ip of your Hestia server.

openssl s_client -connect example.net:443 <<<: 2>/dev/null | awk '/Certificate chain/,/---/'
openssl s_client -connect 203.0.113.1:443 -servername example.net <<<: 2>/dev/null | awk '/Certificate chain/,/---/'

mbassiouny · September 13, 2025, 8:48pm

I ended up disabling everything and I used the CLI and it worked just fine.

The origin cert/keys I created were RSA (Default setting), as for the Root CA Certificate, I followed the steps from the link above (so it was RSA CA too). Should have worked, and it actually did work, for a couple of hours.
When it broke I tried the ECC CA (without changing the Cert/key RSA combination) and obviously that didn’t work neither, I kept messing around activating, de-activating, changing SSL settings, etc until I ended up disabling everything and removing the certificate from /usr/local/share/ca-certificates and from /etc/ssl/certs/

Then I just re-enabled SSL using

v-add-web-domain-ssl myUyser mydomainname.com /path/to/certs

and this worked!

Jollip · September 13, 2025, 8:53pm

First line: blankSecond line: Certificate chain
 0 s:CN = mywebsite
   i:C = US, O = Let's Encrypt, CN = R13
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 13 14:44:00 2025 GMT; NotAfter: Dec 12 14:43:59 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = R13
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

I also found that on cloudflare community https://community.cloudflare.com/t/ssl-certificate-pending-validation-and-not-issuing-for-hours/836963 I think I have the same issue