Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

After you add a new domain to Cloudflare, your visitors' browsers might display ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox) errors.

This error occurs when your domain or subdomain is not covered by an SSL/TLS certificate, which is usually caused by:


​​ Certificate activation

For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.

This certificate will cover your root domain (example.com) and all first-level subdomains (subdomain.example.com), so long as your domain or subdomains have proxied DNS records within Cloudflare DNS.


  1. The most common Cloudflare setup that involves changing your authoritative nameservers. ↩︎

  2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA). ↩︎

​​ Potential issues

If your visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox), check the status of your Universal certificate:

  1. Log into the Cloudflare dashboard.
  2. Choose your account and domain.
  3. Go to SSL > Edge Certificates.
  4. Find the certificate with the Type of Universal.
  5. Make sure the Status is Active.

If the Status is anything other than Active, you can either wait a bit longer for certificate activation or take immediate action.

​​ Solutions

If you need to immediately resolve this error, temporarily pause Cloudflare.

Since Universal certificates can take up to 24 hours to be issued, wait and monitor the certificate’s status. Once your certificate becomes Active, unpause Cloudflare using whichever method you used previously.

If your certificate is still not Active after 24 hours, try the various troubleshooting steps used to resolve timeout issues. If these methods are successful (and your certificate becomes Active), unpause Cloudflare using whichever method you used previously.


​​ Certificate expiration

If you have a Custom certificate and visitors experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox), check its status to make sure it is not expired.

If it is expired, upload a replacement certificate.


​​ Multi-level subdomains

Cloudflare Universal SSL certificates only cover your root domain and one level of subdomain.

HostnameCovered by Universal certificate?
example.comYes
www.example.comYes
docs.example.comYes
dev.docs.example.comNo
test.dev.api.example.comNo

This means that you might experience ERR_SSL_VERSION_OR_CIPHER_MISMATCH (Chrome) or SSL_ERROR_NO_CYPHER_OVERLAP (Firefox) on multi-level subdomains.

In order to cover these subdomains, either order an Advanced Certificate or upload a Custom Certificate.

If you purchase an advanced certificate, also enable Total TLS, which automatically issues new certificates to covered any proxied hostnames not covered by a Universal certificate.