Resolving SSL errors for Donor Portal and Campaign Pages custom domains
When setting up custom domains for Donor Portals and Campaign Pages in Fundraise Up, you may encounter SSL/TLS certification issues. One common error is ERR_SSL_VERSION_OR_CIPHER_MISMATCH or SSL_ERROR_NO_CYPHER_OVERLAP, which often occurs due to incorrect CAA (Certification Authority Authorization) records.
Automatic SSL certification
Fundraise Up utilizes Cloudflare to manage SSL/TLS certificates for custom domains. Cloudflare is a widely used content delivery network and security service that handles SSL certificate issuance and management through a network of trusted Certificate Authorities (CAs). To ensure that your custom domain is secured with the proper SSL certificate, Cloudflare requires that specific CAA records be configured for your domain.
Without the correct CAA records, Cloudflare may be unable to issue the necessary certificates, leading to SSL errors such as ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
For the most updated information on Cloudflare’s CA providers, please refer to the following Cloudflare documentation: Cloudflare’s CA Providers
yoursubdomain.yourdomain.com, all DNS record checks and additions should be performed on the main domain (yourdomain.com). This is crucial for proper SSL certification.Diagnosing CAA record issues
To check existing CAA records for your domain:
- Using dig command (Unix-based systems):
1dig -t caa yourdomain.com +short - Online tools:
- On Windows:
Open Command Prompt and type:
1nslookup -type=caa yourdomain.com
These tools will return the current CAA records set for your domain. At a minimum, the following CAA records should be present:
1# CAA records added by DigiCert
20 issue "digicert.com; cansignhttpexchanges=yes"
30 issuewild "digicert.com; cansignhttpexchanges=yes"
4
5# CAA records added by Sectigo
60 issue "sectigo.com"
70 issuewild "sectigo.com"
8
9# CAA records added by Let's Encrypt
100 issue "letsencrypt.org"
110 issuewild "letsencrypt.org"
12
13# CAA records added by Google Trust Services
140 issue "pki.goog; cansignhttpexchanges=yes"
150 issuewild "pki.goog; cansignhttpexchanges=yes"If any of these records are missing, you will need to add them to ensure that Cloudflare can issue the SSL certificates required for your domain.
Adding CAA records
To resolve SSL certificate issues, add these CAA records to your DNS settings:
| Type | Name | Value |
|---|---|---|
| CAA | @ | 0 issue “digicert.com; cansignhttpexchanges=yes” |
| CAA | @ | 0 issuewild “digicert.com; cansignhttpexchanges=yes” |
| CAA | @ | 0 issue “sectigo.com” |
| CAA | @ | 0 issuewild “sectigo.com” |
| CAA | @ | 0 issue “letsencrypt.org” |
| CAA | @ | 0 issuewild “letsencrypt.org” |
| CAA | @ | 0 issue “pki.goog; cansignhttpexchanges=yes” |
| CAA | @ | 0 issuewild “pki.goog; cansignhttpexchanges=yes” |
Troubleshooting
If errors persist after adding CAA records:
- Allow up to 24 hours for DNS propagation.
- Clear your browser cache.
- Check for conflicting CAA records.
For persistent issues, contact Fundraise Up support for further assistance.