Cloudflare Proxy to HAProxy w/ Origin getting 526

So I decided to try to add Cloudflare proxy in front of my HAProxy setup. My HA Proxy setup is working perfectly using Let’s Encrypt certificates. I run two ports, 443 and 80 which just redirects to 443. What I did was to grab an origin certificate and then enabled proxy. I placed the origin certificate on haproxy and set that to the default on HAProxy. All seems good except that I’m getting a 526 error. I tried disabling the domain and checking the certificate. When I do that I get the origin certificate back. Looking at the log in haproxy I see an error saying ssl handshake failed from Cloudflare ips. But I can’t figure out why?

Any suggestions?

Update, it works in full mode, but not full strict using the origin certificate.

If it works without certificate validation, that means that your certificate is not properly configured. Of course, that’s an insecure setup.

I’d suggest you pause Cloudflare and check what certificate you get.

What’s the domain?

I did pause it. And my server is returning the origin certificate. I can pm it to you, but don’t want to post it publicly.

The part that’s confusing me is that the origin certificate is the one installed. I’m guessing it’s done sort of setting on the haproxy frontend, but I have no idea what. It works fine with the origin server and chrome (obviously the cert is invalid)… And it worked fine with the letsencrypt certificate. There is something about haproxy that isn’t working correctly.

I am afraid you cannot send private messages here. You can post it temporarily and then remove the posting.

t is the host.

All right, you can remove your posting.

The IP address of that host does not happen to end in 31, does it?

Nope. 81. But the normal 443 is a different server. I dstnat 2053 from Cloudflare ips

Would you feel comfortable to post the IP address temporarily as well?

All right.

Like I said though… It’s only from Cloudflare. I can make it on 443 also if you want

Which port are we talking about, 443 or 2053?

Also, have you locked down the machine? I can’t reach either port.

Yes. It’s locked down. US only, 443 open. 443 from Cloudflare ips goes to 2053, 2053 externally is closed.

Can open it up though if you want

I can open it easily. Give me 2 minutes

Never mind, got it already :slight_smile:

Currently I am getting a Let’s Encrypt certificate.

It’s open on 2053

So thoughts?