Cloudflare connects to origin server on Port 80 instead of 443

Hello,

i just randomly found out that my server tells me I’m connected via Port 80 instead of 443, although I’m using the Full SSL setting (see screenshot below). Why would that be? If I connect directly via my IP address over https, it shows “connected via Port 443”. What’s wrong here?

Kind regards!

Unbenannt

And you’re using https:// to connect to your domain’s hostname?

correct.

Full should connect to your server on Port 443. That’s about all the troubleshooting we can offer without any other information. Even then, if you posted the URL for that test, that would only give us half-visibility. Your server’s realtime logs might give you more insight into how Cloudflare is connecting to your server.

Logs don’t show anything unusual, any ideas how such an error could happen, maybe Cloudflare config settings?

Hi @lupusargentum,

The only thing I can think of Cloudflare wise if you are accessing over HTTPS, is if the SSL mode was set to Flexible, not Full as stated…

1 Like

I doublechecked that, but it is set to Full. I set up a temporary virtual host for testing with another subdomain (also through the Cloudflare network), same issue. I am using a clean Ubuntu VPS. On Cloudflare, I set a page rule which sets the Cache Level to Bypass if this could help.

I also tried using a different hostname for which I don’t host the DNS at Cloudflare, this one connects correctly via Port 443.

Could this problem be related to DNSSEC? All domains in my account which have enabled DNSSEC face this issue, the one without it connects just fine on 443.

Sounds like black magic to me. DNSSEC shouldn’t have anything to do with SSL directly. Indirectly, if DNSSEC is hosed, then you won’t even get to the point where you can use SSL.

Try some curl experimentation, such as:
curl -I --resolve example.com:443:123.123.123.123 https://example.com/
(but change the 123s to your actual host IP address…then try again with your Cloudflare IP address)

And/or open a Support Ticket and let us know what they find. But I’d really to see what your curl results are.

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

curl result with Host IP:

HTTP/2 200
content-encoding: gzip
accept-ranges: bytes
cache-control: max-age=604800
content-type: text/html; charset=UTF-8
date: Mon, 08 Jul 2019 21:17:50 GMT
etag: "1541025663+gzip"
expires: Mon, 15 Jul 2019 21:17:50 GMT
last-modified: Fri, 09 Aug 2013 23:54:35 GMT
server: ECS (bsa/EB18)
x-cache: HIT
content-length: 606

curl result with Cloudflare IP:

HTTP/2 200
content-encoding: gzip
accept-ranges: bytes
cache-control: max-age=604800
content-type: text/html; charset=UTF-8
date: Mon, 08 Jul 2019 21:23:05 GMT
etag: "1541025663+gzip"
expires: Mon, 15 Jul 2019 21:23:05 GMT
last-modified: Fri, 09 Aug 2013 23:54:35 GMT
server: ECS (bsa/EB18)
x-cache: HIT
content-length: 606

I messed up the curl command a bit (I left in an old hostname). There are two spots for your domain name (example.com)

There should be at least two Cloudflare headers in the response:

  • server: cloudflare
  • cf-ray: BUNCHOFHEX-AIRPORTCODE

But I don’t see those in the Cloudflare IP results.

So the first curl tells me there is a self-signed cert on my server, which is correct (with Host IP)

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

With Cloudflare IP:

HTTP/2 200
date: Mon, 08 Jul 2019 22:11:13 GMT
content-type: text/html;charset=UTF-8
set-cookie: __cfduid=d5123a0e9bdbc7d5b8c049d19b1ee576c1562623873; expires=Tue, 07-Jul-20 22:11:13 GMT; path=/; domain=.myDomain; HttpOnly; Secure
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4f35648829a5645b-FRA

Well…that’s all we can do to check from our end. You’ll have to take it up with Support to see why SSL: Full isn’t hitting 443 on your server.

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

Yeah, I already issued a ticket. Thanks for the help anyways.

Kind regards

1 Like

If you share the ticket number here, @cloonan may keep an eye on it for you :slight_smile:

The number is #1716007. Thanks!

1 Like

So, I finally found out what caused this error. It was caused by a misconfiguration on my side which I overlooked for a while, I didn’t put the SSLCertificateFile and SSLCertificateKeyFile of Apache’s default self-signed certificates into the 443-VirtualHost-Config because it seemed to work without it. Took me quite a while to understand that this was the problem. Sorry for the inconvinience, consider this case closed.

Thanks for updating us, @lupusargentum and letting us know that you found the cause. Please also let support know on the ticket.

Marking this as closed :slight_smile:

1 Like