522 continues happening - Ep2 - Heroku says is wrong Cloudflare cert - Makes no sense

Hi, I tried to solve the 522 that was misteriously happening to my site with heroku account and they said that my cloudflare cert is not valid. It’s funny because I have two addresses with the same cert, one works fine and the other not. Do you have any clue?

here’s my old closed thread

and sitemeer for both :slight_smile:

http://sitemeer.com/#https://helpbuttons.org

http://sitemeer.com/#https://botonesdeayuda.org

No idea of this?

That last thread was a really long one, and a thorough mystery.

Can you or they be more specific? Which cert? Did you generate an origin cert? An authenticated origin pull cert? Or an edge cert? And what’s not valid about it?

I generated a cert for both my domains in cloudflare and pasted in heroku. They said it’s invalid but I’m sure it’s the proper code I copied from cloudflare and everything is like it should. I kept the private key and stablished strict mode. And that’s all. After I did what you said and deactivated cloudflare so they check everything , they said the cert was wrong. But I’m waiting for a new response after I hated my settings

El El lun, may. 17, 2021 a la(s) 10:48 p. m., sdayman via Cloudflare Community <[email protected]> escribió:

To others, that certificate won’t pass authentication. But to Cloudflare, it will, since Cloudflare generated it. Otherwise you would get a 525 or 526 error.

Ok. It’s strange since it’s working fine for one of my domains and not for the other, being the same cert. So you mean I shouldn’t use that cert on heroku ?

El El mar, may. 18, 2021 a la(s) 12:05 a. m., sdayman via Cloudflare Community <[email protected]> escribió:

The same identical cert? On two different domains? Maybe try new origin certs, but a separate one for each domain.

I made two certs now but still the same error in sitemeer.
http://sitemeer.com/#https://helpbuttons.org

Same with KeyCDN’s test. At this point, there’s just nothing the Community can assist with. It has to be looked into by Cloudflare and Heroku to find out why it’s not working and inconsistent. Would it be difficult to spin up a free Heroku environment on a new Heroku account on a spare domain you have?

News from heroku :slight_smile:

Right now it’s still hard to say what’s going on. Even with Cloudflare turned it’s still showing them as your DNS hosts:

$ dig +short NS helpbuttons.org

camilo.ns.cloudflare.com.

candy.ns.cloudflare.com.

Although it looks like you may be using the ALIAS record from DNSimple:

$ dig +noall +answer helpbuttons.org

helpbuttons.org.	300	IN	A	3.226.50.252

helpbuttons.org.	300	IN	A	35.153.56.97

helpbuttons.org.	300	IN	A	52.206.211.104

helpbuttons.org.	300	IN	A	34.206.174.224

helpbuttons.org.	300	IN	A	52.5.208.118

helpbuttons.org.	300	IN	A	174.129.26.222

helpbuttons.org.	300	IN	A	52.20.200.43

helpbuttons.org.	300	IN	A	34.193.233.154

However, those IP addresses are not correct. You really need to be following this issue up with either DNSimple or Cloudflare. There are no issues on the Heroku side.

When I curl your domain I’m getting all different responses, which to me also indicates your ALIAS record is not expanding your flat-swallow-ofn3a5e436m5fbxsd8uqml1x.herokudns.com DNS targets A records correctly:

$ curl -I helpbuttons.org

HTTP/1.1 200 OK

Date: Mon, 24 May 2021 02:07:24 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Server: Apache/2.4.41 (Ubuntu)

Set-Cookie: PHPSESSID=10cof5emk3krpqavho0qjjm7m3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

$ curl -I helpbuttons.org

HTTP/1.1 400 Bad Request

Content-Length: 154

Content-Type: text/html

Date: Mon, 24 May 2021 02:07:43 GMT

Server: Armis

Connection: keep-alive

$ curl -I helpbuttons.org

HTTP/1.1 301 Moved Permanently

Server: awselb/2.0

Date: Mon, 24 May 2021 02:07:49 GMT

Content-Type: text/html

Content-Length: 134

Connection: keep-alive

Location: https://helpbuttons.org:443/

$ curl -I helpbuttons.org

HTTP/1.1 301 Moved Permanently

Server: Cowboy

Date: Mon, 24 May 2021 02:10:00 GMT

Connection: keep-alive

Content-Type: text/html

Location: https://helpbuttons.org/

Vary: Origin

Via: 1.1 vegur

The only request here that hit Heroku is the last one, indicated by the Via: 1.1 vegur header.

Now I’m asking dnsimple too. Nobody seems to know.

News from DNSsimple. Heroku says it’s a cloudlfare thing and they said it’s not on their side :

I can see that the ALIAS record for helpbuttons.org expands to the following A RRSet:

dig @ns1.dnsimple.com helpbuttons.org

;; ANSWER SECTION:

helpbuttons.org. 3600 IN A 34.239.208.97

helpbuttons.org. 3600 IN A 3.208.247.60

helpbuttons.org. 3600 IN A 3.211.204.50

helpbuttons.org. 3600 IN A 3.222.61.237

helpbuttons.org. 3600 IN A 34.194.108.77

helpbuttons.org. 3600 IN A 52.204.138.61

helpbuttons.org. 3600 IN A 3.212.138.198

helpbuttons.org. 3600 IN A 3.215.197.222

Looking at our infrastructure logs, I don’t see any problems with the zone records and ALIAS expansion for helpbuttons.org, so no indication of any failures on our side.

Also I can see that www.helpbuttons.org is a CNAME and points to different Heroku instance

experimental-endive-9hnr81mcz3th6w0fthi1g3zz.herokudns.com and the SSL certificate is failing.

May you please give me some more debug information from your test endpoints to see the IPs resolved and possible other errors?

I posted answers of both parts, cloudflare is paused and they seem to say it’s a cloudflare thing. Any idea?

DNSsimple says I need to end services with cloudflare, do you see any alternative? Thank you

I think I can see where the problem lies.

We properly expand the ALIAS record for helpbuttons.org and you can see that the A RRSet returned is similar to the one returned for flat-swallow-ofn3a5e436m5fbxsd8uqml1x.herokudns.com

Quering ns1.dnsimple.com:

dig +noall +answer @ns1.dnsimple.com helpbuttons.org

helpbuttons.org. 3600 IN A 34.203.109.182

helpbuttons.org. 3600 IN A 52.204.138.61

helpbuttons.org. 3600 IN A 107.21.11.91

helpbuttons.org. 3600 IN A 54.159.124.229

helpbuttons.org. 3600 IN A 34.226.165.133

helpbuttons.org. 3600 IN A 34.207.48.100

helpbuttons.org. 3600 IN A 52.55.225.227

helpbuttons.org. 3600 IN A 34.233.212.111

But we are not delegated authoritative nameservers at the moment.

Your domain points to *.ns.cloudflare.com at TLD level and the ALIAS resolution goes via them, hence you will need to check the DNS zone data there or re-delegate back to DNSimple authoritative servers.

Any further questions, please let us know.

I don’t know why DNSimple is involved, but you may just try the “Pause Cloudflare on Site” option from the Overview page at dash.cloudflare.com. That will put your domain in pure DNS mode and bypass any Cloudflare services.

It’s already paused and all those messages were received with paused cloudflare. DNS simple is my domain registrar. I started to use Clloudflare cause I needed for some email services to work with ssl/ Should I remove my doomains from cloudflare? Thank you

Can you post a screenshot of the 522 error?

Cloudflare doesn’t provide SSL for email. And all SSL starts at your host.

When I pause cloudflare I cannot show the 522 error. It just shows a non private connection error. If I enable cloudflare is when I see a 522 in Italy and other countries, but not in all Spain.

This is also sitemeer with no cloudflare enabled : http://sitemeer.com/#https://helpbuttons.org

I’m afraid there’s nothing else we can help you troubleshoot. Your last hope is if Support can trace the error.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

this is the 522 error, This is so exhausting. My site has been down for two months now. XD .

What happens is that cloudflare DNS still show with Cloudflare paused too. Did you see the messages from other services?

Righ now I’m even confused about why I use Cloudflare. Do you see any feature that Cloudflare has that DNSsimple hasn’t? If not I’ll try to go back to jus DNSimple but not sure what will happen.