Skip to content

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

After you add a new domain to Cloudflare, your visitors’ browsers might display one of the following errors:

  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome)
  • Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite (Chrome)
  • SSL_ERROR_NO_CYPHER_OVERLAP (Firefox)

This error occurs when your domain or subdomain is not covered by an SSL/TLS certificate, which is usually caused by:

Decision tree

flowchart TD
accTitle: Troubleshooting ERR_SSL_VERSION_OR_CIPHER_MISMATCH decision tree
A>Is your certificate active?] -- Yes --> B>Is the DNS record proxied?]
A -- No --> C[Wait for certificate to activate or pause Cloudflare]
B -- No --> D[Proxy the DNS record]
B -- Yes --> E>Are you using a custom certificate?]
E -- Yes --> F[Custom certificate may be expired]
E -- No --> G>Are you accessing a multi-level subdomain?]
G -- Yes --> H[Get an advanced or custom certificate]

Certificate activation

For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.

This certificate will cover your zone apex (example.com) and all first-level subdomains (subdomain.example.com), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are proxied.

Footnotes

  1. The most common Cloudflare setup that involves changing your authoritative nameservers.

  2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

Potential issues

If your visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox), check the status of your Universal certificate:

  1. Log into the Cloudflare dashboard.
  2. Choose your account and domain.
  3. Go to SSL > Edge Certificates.
  4. Find the certificate with the Type of Universal.
  5. Make sure the Status is Active.

If the Status is anything other than Active, you can either wait a bit longer for certificate activation or take immediate action.

Solutions

If you need to immediately resolve this error, temporarily pause Cloudflare.

Since Universal certificates can take up to 24 hours to be issued, wait and monitor the certificate’s status. Once your certificate becomes Active, unpause Cloudflare using whichever method you used previously.

If your certificate is still not Active after 24 hours, try the various troubleshooting steps used to resolve timeout issues. If these methods are successful (and your certificate becomes Active), unpause Cloudflare using whichever method you used previously.


Proxied DNS records

Cloudflare Universal and Advanced certificates only cover the domains and subdomains you have proxied through Cloudflare.

If the Proxy status of A, AAAA, or CNAME records for a hostname are DNS-only, you will need to change it to Proxied.

Proxy status affects how Cloudflare treats traffic intended for specific DNS records

Certificate expiration

If you have a Custom certificate and visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox), check its status to make sure it is not expired.

If it is expired, upload a replacement certificate.


Multi-level subdomains

By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.

HostnameCovered by Universal certificate?
example.comYes
www.example.comYes
docs.example.comYes
dev.docs.example.comNo
test.dev.api.example.comNo

This means that you might experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox) on multi-level subdomains.

To prevent insecure connections on a multi-level subdomain, do one of the following:

  • Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
  • Order an Advanced Certificate covering the subdomain.
  • Upload a Custom Certificate covering the subdomain.

If none of these solutions work, you could also remove the multi-level subdomain.