521 even on flex

I am running a website on 2 instances.
Server1: domain and www.domain
Server2: m.domain

All goes well with Cloudflare tuned off.
server2 is ok with Cloudflare on and on full, not with flex.
server1 goes 521 with any setting of Cloudflare.

Nginx has the token and it is editing DNS automatically, all subdomains work well with Cloudflare off. and with certificates, including an origin CA.
UFW is enabled for SSL.
Since server1 works on docker, there is no way to allow Cloudflare but with api-token, which is ok.

I am out of ideas…

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

[email protected]:~$ curl https://
[email protected]:~$ curl https://
<!DOCTYPE html>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='/s/dashboard'" />

        <title>Redirecting to /s/dashboard</title>
        Redirecting to <a href="/s/dashboard">/s/dashboard</a>.
</html>[email protected]:~$ curl https:/
[email protected]:~$

Hello there.

Could you check if the installation of origin CA if that is working correctly?
521 error is a sign of web server down where you’ve enabled origin CA in Cloudflare but not installed in the webserver. so, connection is blocked!
You may check this out to configure it correctly:

If you are using Cloudflare for subdomains, those records need to be proxied. Would you try doing that?
Read this if it is useful for you:

Thanks for the support.

The CA appears on browser. Not sure it is the new one. But it loads automatically. I can’t insert it manuallly I use oznu API on docker. It looks ok on logs.

DNS is pushed from oznu auto, whenever I put CNAME to www, it starts logging error.

Cloudflare has this API on Nginx Proxy Manager that does all that.

If I go flex, m.domain disapears.

It was working before someone phished my IP from this community.

Thanks for the update

Its quite weird to hear that!

Since you are using origin CA, why go flex? Full could be the best option

1 Like

Full (Strict) would be even better.

on full strict m.domain is ok, www and apex stop working

Are www and the apex using valid certificates from either the Cloudflare Origin CA or a trusted public CA?

1 Like

I have just checked them today after last night, when I was setting it all up.
They all loaded perfectly.

Is it the propagation time?

Thanks to you for support, sorry for the bother.

Your www and apex are resolving to Cloudflare, so unless they are not supposed to, there is no propagation issue. You appear to be doing your www to apex redirect on Cloudflare and that is working, but Cloudflare is not able to connect to whatever server IP address you have listed in your Cloudflare DNS for the apex.

I would start at the device closest to the edge, perhaps a perimeter firewall, and monitor traffic and logs there while trying to connect through Cloudflare. If that checks out okay, move further along the path and watch the traffic. Something somewhere is prevent the Cloudflare connection, and tracing and isolating seems like an effective means to identify the problem.

1 Like

I spent the day monitoring logs of nginx, ufw (ubuntu firewall) and oznu-Cloudflare API. It looks like the Nginx Proxy Manager and the container-oznu API both call the certificate, edit DNS and manage Cloudflare access. Only I don’t know how to make them connect to the IP becasue they are packed, even if I ssh inside their files, i wouldn’t know how to solve things…

I am starting to think docker installs are a problem.

Where do you see the IPs aren’t being reached, nslookup? dnschecker?

And, do I have to config DNS for subdomains on the registrar as well? I saw on the article above I need to set up subdomain on host… apart from Cloudflare?

thanks a lot.

The Cloudflare proxy error 521 is what tells us that.

In this search, it says because I am pointing the apex to 2 different IPs I am getting failure.

You will always have four IPs when proxying through Cloudflare: two IPv4, and two IPv6. That is expected.

I’m not really sure why you are sharing a Let’s Debug test, as that’s for troubleshooting Let’s Encrypt certificate issuance, and has nothing to do with Cloudflare. Additionally you shared an HTTP-01 test, and your mention of Nginx editing your Cloudflare DNS with a token suggested, to me that you are using DNS-01 validation. Either way, the Let’s Encrypt Community is the place to work out Let’s Encrypt problems.

I am operating on the the information you provided that suggested you have your origin certificates in order. Your 521 error indicates that traffic sent from the Cloudflare proxy to your origin is not being handled correctly at the origin. The forwarded requests are not receiving a response from your origin. This is why I suggest that you monitor the traffic at each point under your control, working your way from the side closest to Cloudflare until you reach the web server.

You can easily generate requests with curl and use a unique string to make it easier to filter. Without knowing where the connection is disrupted, it’s next to impossible to know what needs to be fixed.

1 Like

Did I mention the error 521 just resolved itself today?
I asked how you know Cloudflare is not reaching servers IPs becasue there is no 521 error anymore.

I am not a dev… excuse moi… so I thought I would dig information somewhere out there…
I will try to find more info on how to curl things and dig logs on ssh, because on portainer containers, logs look good. And I think CA is working after turning Cloudflare on, because it loads on browser. 2 IPs from 2 different servers are using the same domain, that is what I thought was wrong.

I still see the Cloudflare 521 page when loading https://theapothecary.app/.

Cloudflare-Nginx Proxy Manager

just in case people need a tutorial of how to install Origin CA on NPM.

1 Like

guys, I finally learned to install Origin Certificate on NPM.
Logs on Nginx show both pem and key, it doesn’t renew it gets stuck on reloading. After i reload nginx, page says: NET::ERR_CERT_AUTHORITY_INVALID

I have created a new cert a couple of times.

Is there paid support on Cloudflare? I think I need someone to help, it will work with LE but Origin either gets automatically substituted by the universal one, or returns invalid for the origin.

1 Like

Thanks for the guide :+1: on how to install Origin CA on NPM.