# How to fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH

By [bap2pecs](https://paragraph.com/@0xb2p) · 2024-02-06

---

I was setting up SSL for a domain using cloudflare along with `nginx-acme` and `nginx-proxy` but I got error `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` when testing.

Checking the container logs, everything looks alright.

By using SSL Labs [toolkit](https://www.ssllabs.com/ssltest), it shows error “Failed to communicate with the secure server”:

![](https://storage.googleapis.com/papyrus_images/33f4d1d7a6b9868c8ff304a3cf99e05018feea54ab33bb4f286b440893dfd73b.png)

Looking it up, I found

[https://community.cloudflare.com/t/failed-to-communicate-with-the-secure-server/186871](https://community.cloudflare.com/t/failed-to-communicate-with-the-secure-server/186871)

which links to

[https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch)

Then I found the root cause was I was using a multi-level subdomain:

![](https://storage.googleapis.com/papyrus_images/2be459c3de95cca3300eccfe7e3da0f30d9f430a9536a3e26f04b56d7472ecfe.png)

One easy way to fix it is to merge the multiple levels from `<subdomain1>.<subdomain2>` to `<subdomain1>-<subdomain2>`.

But sometimes we do need multi-level subdomains. For example, when we deploy L2s for our clients. We want them to get resource URLs such as:

*   [https://myappchain.rpc.snapcha.in](https://myappchain.rpc.snapcha.in)
    
*   [https://myappchain.explorer.snapcha.in](https://myappchain.explorer.snapcha.in)
    
*   …
    

In that case, we will use Cloudflare’s [Advanced Certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) add-on feature that covers more than one level of subdomain.

One we purchased the package, we need to order those advanced certificates such as:

![](https://storage.googleapis.com/papyrus_images/9b3f608f101d6a039770fb317cd11aa534d1e19a4d0f43940f43283af03e1ec4.png)

Then we can use the feature to issue certs when it becomes active:

![](https://storage.googleapis.com/papyrus_images/fcc5e9962c4da4f607abbfe0e170772f2b8fd22c866868ef93908a86b401535f.png)

---

*Originally published on [bap2pecs](https://paragraph.com/@0xb2p/how-to-fix-err-ssl-version-or-cipher-mismatch)*