Get the most out of your Centmin Mod LEMP stack
Become a Member

Cloudflare phpmyadmin SSL_ERROR_NO_CYPHER_OVERLAP error

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Kintaro, Nov 30, 2023.

  1. Kintaro

    Kintaro Member

    104
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    4:57 PM
    1.15.x
    MariaDB 10
    After activating cloudflare in domain.com I was getting SSL_ERROR_NO_CYPHER_OVERLAP in phpmyadmin.

    The hostname of this centminmod is: domain.anotherdomain.com

    I solved deleting the CNAME "domain.anotherdomain.com" record and replacing it with an A record pointing directly to the domain.com IP in the anotherdomain.com DNS.


    is it the right think to do?

    The only doubt I have is that now the domain.com ip is public in the anotherdomain.com dns.
     
  2. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    12:57 AM
    Nginx 1.25.x
    MariaDB 10.x
    Did you enable HSTS on nginx vhost or Cloudflare which tells web browsers to always load site and subdomains over HTTPS only?

    Do you use Cloudflare with Full/Full Strict SSL mode or via Flexible SSL mode? If you use Full Strict SSL, Cloudflare would have problems with phpmyadmin.sh installed Centmin Mod phpmyadmin installed instance on main hostname subdomain if same as the Cloudflare zone domain name, as phpmyadmin uses a self-signed untrusted SSL certificate which fails Cloudflare Full Strict SSL requirements.

    If you have enabled HSTS on nginx vhost, you can do it without including subdomain directive, so only domain.com will force HSTS and not subdomain.domain.com. Then clear your domain from browser HSTS caches

    Are the host.domain.com and HTTPS enabled site also on same top level domain.com ? did you enable HSTS with include subdomain too ? if you did then you're telling browsers to force HTTP to HTTPS redirected connections for domain.com and any *.domain.com subdomain as well

    see Enabling HSTS for SSL for specifics
    As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this :)

    But you still can't use Cloudflare Full Strict SSL. And you generally don't want to enable orange Cloud proxy for Cloudflare on main hostname as it's also the hostname used for Postfix outbound email sending and would fail to validate your main hostname on receiving mail servers as when they lookup main hostname for real IP, it would fail as it would report Cloudflare IP instead. If you want to Cloudflare orange cloud proxy main hostname, then you would need to manually reconfigure Centmin Mod Postfix for Postfix relay via Amazon SES 3rd party smtp server to allow outbound emails from server.

    Centmin Mod is provided as is so no official support for reconfiguring Postfix MTA mail server beyond what Centmin Mod initial setups up and configures for Postfix local outbound email sending.

    However, if you want to sent email outbound via remote mail server like with smtp email providers like Amazon SES, PepiPost/NetcoreCloud, Mailgun, Mailjet etc there are various online guides if you search for "centos postfix relay". Instructions for Debian and Ubuntu may differ from CentOS 6 or CentOS 7 operating systems that Centmin Mod runs on so bear that in mind and read many online guides to understand the best gist of configuring Postfix relay for external mail sending via remote smtp server.

    Remember, troubleshooting and setup is all on you as I provide no support, however fellow forum members are welcome to help each other out.

    The following guides are a start and you should read them all and re-read them to get an understanding of what is required paying attention to differences of CentOS 6 vs CentoS 7 vs Debian/Ubuntu if any.

    Note you can skip installing Postfix via yum as it's already installed
    You can also setup a test VPS with a hourly billing provider and test various Postfix relay guides until you find one that works for you etc.