#Error SSL/TLS

C:\Users\Administrateur-RDP>curl -vvvvv https://CACHED

• Trying 104.21.35.26:443...
• Connected to cached (104.21.35.26) port 443 (#0)
• schannel: disabled automatic use of client certificate
• ALPN: offers http/1.1
• schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
• Closing connection 0
• schannel: shutting down SSL/TLS connection with CACHED port 443
  curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

That's not really enough information to go off, having the actual failing URL would be helpful.

Otherwise I would guess it's either that those subdomains are too deep (the free universal cert you get only coverrs first level subdomains like 1.example.com, not 2.1.example.com), or your Universal cert isn't being issued for some reason (could be dnssec, an improper configuration preventing domain resolution like a clientHold status code, etc)

I create ssl with certbot

That's good to secure the connection end to end, but if it's proxied through Cloudflare, Cloudflare needs a valid certificate for it too. Cloudflare terminates the incoming request, and then creates a second one to your origin, it's how reverse proxies/pull based CDNs work, both ends need valid SSL

Also interested by the topic. I'm a noob in term of security/certificate. How to create a certificate so cloudflare proxy and origin server can securely communicate ?

When I disable the proxy it works

This is the first time I've had this error.

Right, so it's likely either those subdomains are too deep (the free universal cert you get only covers first level subdomains like 1.example.com, not 2.1.example.com), or your Universal cert isn't being issued for some reason (could be dnssec, an improper configuration preventing domain resolution like a clientHold status code, etc)

If you can share the actual failing URL (Dms are fine), it would be easy to tell

I don't want to use the cloudflare certificate

You do, with proxy enabled. Here's what the connection looks like:
Visitor <- Cloudflare Cert -> Cloudflare Edge <- Your Certificate -> Origin

except that it tells me that I'd like to make it disappear

I've been using certbot with cloudflare proxy for a long time, never a problem.

How many levels deep is the subdomain?

e.x 1.example.com is 1 level deep, 1.2.example.com is two levels deep

2

Check your dm

The issue is that it's two levels deep. Cloudflare issues you a free certificate called your "Universal Certificate", it's a wildcard for your domain, *.example.com, wildcards only cover first level subdomains. If you wanted a deeper subdomain to work with Proxy, you would have to buy Advanced Certificate Manager (ACM) and issue a certificate for that subdomain. Otherwise you can keep it unproxied and not benefit from Cloudflare's CDN/Proxy, or you could change it, for example using a slash - rather then . to keep it on the same DNS Level

so that would solve the problem?

Using slashes (-) in the name instead of .'s? Yea, it would be the same DNS Level, so the wildcard would work for it

Look in your private message if you wish to

sure

Thank you and I hope it will be of use to many others.