“ERR_ECH_FALLBACK_CERTIFICATE_INVALID” error resolved

webdig

I’m sharing this note because the issue may affect other users who use Cloudflare as a proxy

The issue
Several websites started showing the following error:

ERR_ECH_FALLBACK_CERTIFICATE_INVALID
“This site can’t be reached. The webpage at https://example.com/ might be temporarily down or may have moved permanently to a new web address.”

All domains were configured with the same DNS settings, valid certificates, and hosted on the same server.
However, only some of them failed, while others worked perfectly fine.

The cause

After detailed testing, the problem was traced to a TLS 1.3 handshake issue between the browser and Cloudflare’s edge network.

Even when Encrypted Client Hello (ECH) is not visible or explicitly enabled in the dashboard, Cloudflare still attempts to negotiate ECH internally.

When this negotiation fails, the browser receives an incorrect fallback certificate and displays the invalid certificate error.

The solution

The fix involves two simple steps:

Ensure there are at least three active proxied (orange cloud) records in Cloudflare:
- A record → root domain (@)
- AAAA record → root domain (@)
- CNAME record → www pointing to @
  Mixing proxied (orange) and DNS-only (grey) records for the same hostname can cause fallback certificate errors.
Disable TLS 1.3 in Cloudflare:
- Go to SSL/TLS → Edge Certificates
- Turn off “TLS 1.3”
  After disabling TLS 1.3, all affected sites immediately started working again without errors.

How to confirm if your domain is affected

Check if ECH is active
dig example.com HTTPS @1.1.1.1 +short
If the result includes something like ech="xxxx...", ECH is active.
Test the TLS 1.3 handshake
openssl s_client -connect example.com:443 -servername example.com -tls1_3

If you see:

alert protocol version: SSL alert number 70
no peer certificate available

then Cloudflare’s edge is rejecting the TLS 1.3 handshake.

Compare with TLS 1.2
openssl s_client -connect example.com:443 -servername example.com -tls1_2
If TLS 1.2 works correctly but TLS 1.3 fails, the issue is confirmed.

Conclusion

The error is not caused by the Enhance server, but by the TLS layer between Cloudflare and the client.
Disabling TLS 1.3 or ensuring all main records are proxied (orange cloud) resolves the issue immediately.
For those who wish to keep TLS 1.3 enabled, it’s recommended to contact Cloudflare Support and request an edge certificate re-issuance.