Solved Connection error with Cloudflare proxying

guyds

@girish thanks, that's very clear!

In the meantime I experimented a bit with putting my Cloudron on a subdomain and I noticed strange behaviour where the Cloudron dashboard was not accessible anymore. It showed a red bar at the top saying is was reloading or restarting or something similar.

I'm using Cloudflare and noticed the my subdomain was proxied so I turned off the proxying in Cloudflare and then the Cloudron dashboard was accessible again.

The SSL setting was set to Full (strict), so that should be ok I guess?

I seem to remember now that the free version of Cloudflare, which I'm currently using, has some limitations regarding the proxying of wildcard subdomains.
If that's the case, then the only option is to assign different domains for each Cloudron.

girish

@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.

For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it? Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare. You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.

guyds

@girish said in Single domain, multiple cloudrons?:

@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.

I tried that, but unfortunately that didn't work.

For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it?
Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare.

It's using the Cloudflare DNS provider, so that should be ok I guess?

You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.

Rocket Loader is not enabled and I completely purged the Cloudflare cache, but still it doesn't work when I turn on the CF proxy when using a subdomain for the Cloudron.

After hitting shift-refresh in the browser (Firefox), I get the following error:

Edit: to be clear, when I use the main domain everything works fine with the proxy enabled

girish

@guyds If you have CF proxying enabled, then you will always see some Cloudflare UI. Something like below.

In your case, the Secure Connection Failed, I think means something related to browser/HSTS or something. Can you try in another device/browser or clear the browser cache? In Firefox, it's a bit tricky to clear HSTS. Usually, what I do is open my "History" and then right click on the site and there is a "Forget about this site" option.

guyds

@girish You're right, it seems to be related to Firefox.
I tried on 4 different pc's, both regular and private mode, and always that same error. So it has nothing to do with caching but with Firefox in general
When I use chrome or another chrome based browser it works fine.

girish

@guyds oh maybe https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/

guyds

@girish thanks for that link.
However, in the meantime I'm experiencing the same issue with the chrome based browsers.

So to summarize:
When I use a regular domain there are no issues.
When I switch to a subdomain, the Cloudron isn't accessible anymore on Firefox, but on chrome based browsers it works.
After 10 or 15 mins however, I'm getting a similar error on the Chrome based browsers.
When I turn of the CF proxy for the subdomain, it also works fine in any browser.

So there definitely seems to be an issue with proxying a sub-sub-domain (my.sub.domain.tld) through CF.

girish

@guyds You can check curl https://my.sub.domain.tld with CF proxying turned on. If that doesn't work (gives some TLS/TLS warnings), you can simply open a ticket with Cloudflare.

guyds

@girish That doesn't work either:

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

So I'll open a ticket with CF.

Thanks for following up on this issue!

guyds

Ok, so I was correct when I said I seemed to remember there are some limitations with CF proxy and subdomains in the free plan.
When trying to open a ticket with CF regarding this issue I was pointed to the following link on their community:
https://community.cloudflare.com/t/subdomain-too-deep/81872

The certificates available with the free account (universal certificates) cover only one level of subdomains so my.domain.tld is covered, but my.sub.domain.tld isn't.

girish

@guyds Ah, good to know. Did not know this limitation!

humptydumpty

@girish I just ran into this issue and I'm glad I found this thread. Can you please add the limitation as a note to the docs. TIA! https://docs.cloudron.io/domains/#cloudflare-dns

girish

@humptydumpty done