
Support.cloudflare.com down - crabbytoday
Trying to resolve an issue regarding CF ECDSA certificate for the last 15+ hours and now can&#x27;t check the ticket:<p>This page (https:&#x2F;&#x2F;support.cloudflare.com&#x2F;hc&#x2F;en-us) is currently offline. However, because the site uses CloudFlare&#x27;s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by CloudFlare | Hide this Alert<p>I loved CF until 8&#x2F;24&#x2F;16 when they issued a new SSL cert for my domain.  I know CF loves ECDSA but they did not check if my server supported ECDSA before changing the cipher suite.  Just roll back to whatever algo was being used before if sane, but for the love of Pete, before issuing the certificate:
 1) check to see if the server supports the proposed algo,
 2) notify the user if the user&#x27;s server does not support the algo
 3) allow the user time to investigate and implement options
 4) potentially issue a certificate that works on the customer&#x27;s server (just like it did for over a year).<p>Normally not a big deal, but this domain is hosted on a shared host (it was more of a test to check out Cloudflare).  I don&#x27;t have anyway to update the server to use ECDSA, though I put in a support ticket with the host and they said, &quot;No. We will not support ECDSA but do support a list of other EC algos&quot;.  Obviously, I am going to move away from this host...and CF.<p>In any case, their support response is <i>slow</i>, but this site was using the free plan...and now their support site is down.<p>Any suggestions for CF alternatives?<p>[edit: the support site is now up 10:48PST]
======
snug
CloudFlare to Origin supports algorithms other the ECDSA. Sounds like you're
having issues, not CloudFlare.

CloudFlare only support ECDSA on the free plan from client to CloudFlare. If
this is what you're having issues with, then you're on an old browser.

~~~
crabbytoday
Thanks for trying to help, but I'm using FF 44.0.x and Chrome 52.0.27x. The
disruption occurred when CF generated a new cert with ECDSA, the old cert
worked fine, until it expired.

[https://support.cloudflare.com/hc/en-
us/articles/200278659-E...](https://support.cloudflare.com/hc/en-
us/articles/200278659-Error-525-SSL-handshake-failed)

A 525 error states that the SSL handshake between CloudFlare and the origin
server that hosts the domain failed. This means that CloudFlare is set to use
Full SSL in the CloudFlare settings for the domain, so CloudFlare attempts to
make a connection using SSL (for requests beginning in [https://](https://))
to server that hosts the domain.

Likely reasons for this failure include:

The origin server does not support or is not configured properly for SNI. The
cipher suites that CloudFlare accepts and the cipher suites that the origin
server uses do not match. The origin server is not configured to use SSL and
Full SSL is enabled in the CloudFlare settings.

"The cipher suites that CloudFlare accepts and the cipher suites that the
origin server uses do not match." <\- This. This is the issue. Again, I
verified with the host and they do not plan on supporting ECDSA_P256
specifically, but do support other Elliptical Curve algos. So yes, it is an
issue on my end but only to a point, the fallback certs that CF generates and
manages aren't 'falling back'. There is no option to manage fallback certs on
Free plan, that's fine, but the CF-provided fallbacks should have worked!
Again, the issue is they generated a cert with a specific algo and presented
that cert to my users without checking first to see if the server supported
that algo. Make a cert signed with a random algo and who cares if it works or
not? WTH?

Again, I am not asking for tech support here. I am researching CloudFlare
alternatives though to begin the process of setting up new accounts to prepare
for moving from CloudFlare before those domains suffer the same fail when
their CF certs expire. CF was great until it wasn't.

------
runesoerensen
The site seems to work fine, but this really isn't a support forum for such
issues. Send them another email or something

~~~
crabbytoday
Thanks for the tip. I didn't ask for support here. I think this issue is
interesting because CF's decision(s) are experimental and they do not check if
a server supports ECDSA prior to issuing the cert, which resulted in any links
to [https://mysite.com](https://mysite.com) erroring out "this site isn't
secure" and a 525, until I paused CF, and have since deleted the domain from
CF, use a different (compatible) SSL cert, updated DNS records to not point
CF's nameservers, etc. Perhaps CF will implement a change to check to see if
the customer's server supports an algo before signing a cert with it.

