Cloudflare & Subdomains

We've recently been using Cloudflare in front of applications for several reasons, such as a floating IP address, DDoS protection, automatic SSL generation, analytics, page optimisation, web application firewall, and many more. I highly recommend you look to see if it fits your needs for any application you're developing. One of the problems that I ran into earlier was an error when setting up some subdomains. I kept on getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and I couldn't figure out why. Some subdomains were working, and some weren't. Was this because of the SSL certificate on the server or something else??? If you've seen a similar error to the one below, then you've arrived at the right place!

The error from Cloudflare when I created certain subdomains

I figured that the servers hosting my applications (i.e. my servers) must've been using an incorrect version of TLS, or maybe HAProxy and Nginx had cyphers that Cloudflare didn't support. I played around with TLS versions and supported cyphers, but nothing resolved the issue. I searched on Google and found some cryptic references to the Cloudflare packages and subscription upgrades, but I couldn't quite see from the articles what the actual reason was. A few articles I found included,

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Hi, here I have my website under WordPress with Plugin wp rocked. a certificate ssl lets and scripts. on Cloudflare i have disabled the ssl certificate and every time i activate Cloudflare i always have this error. …
Understand and fix ‘SSL-version or cipher mismatch’-error
Good questions and sorry about the runaround answers you’re working with. Ugh. The best bet always is to have a site working with ssl in place prior to starting with cloudflare and then using the full (strict) setting for end-to-end encryption. You’re midway in the process now, however so the key to…
Sub-domain with www get ERR SSL VERSION OR CIPHER MISMATCH
Hi all, I’m using flexible SSL from Cloudflare I have subdomain like test1.domain.com, test2.domain.com , all without www and with https is working find https ://test1. domain .com > working https ://test2. domain .com > working https ://www,test1. domain .com > not working - error - ERR_SSL_VE…

The last entry actually described the issue in the most detail. It mentioned a dedicated SSL certificate, but that wasn't a part of any of the packages on their site. So I went back to the SSL section on their dashboard and started reading more about the Universal SSL Certificate it provides. It turns out that is where the limitation lies. For instance, if you own example.com, then the Universal Certificate covers:

example.com
*.example.com

It does not, however, cover:

*.*.example.com

So it actually works incredibly well when your subdomain is only a single tier, but having multi-tier subdomains doesn't work in the same way. For that, you'll need to buy an Advanced Certificate (and it's not very expensive, so no need to start stressing ;P)!

After figuring that out, everything is working incredibly well and as expected. A Pro Plan with the Advanced Certificate is all you'd need to have a full app with multi-tier subdomains up and running in no time!

I don't think I can emphasise enough how great Cloudflare is and how well it works. I'd suggest it becomes a part of any software developer's toolkit when building out new applications!


PS. There has been mention of Cloudflare affecting SEO performance. I've looked at Google Analytics on the sites we've applied it to, and I haven't seen any ill effects. In fact, I've seen improvements. I'd recommend that you watch for SEO performance after switching your site to Cloudflare, but I certainly wouldn't write it off without testing it.