We have an A record setup in one of our domains that is configured to just use DNS and not proxy because we have our own TLS setup, inhouse CA, client certificate authorization etc etc, so we definitely only want DNS and not proxy mode. This all was working fine for maybe 2 years, and today all of a sudden we are seeing almost nothing but “526: Invalid SSL certificate” responses from our endpoint - the response body includes html markup that seems to be generated by CF and not us (we don’t return HTML, it’s a REST api).
I can’t find anything about this error that isn’t related to using proxy mode. Can anyone shed any light on whats going on here? I feel that if this isn’t resolved soon we might have to ditch CF for this endpoint really rather quickly as it’s affecting our customers.
Not using Warp (don’t even know what that is). DNS hasn’t changed - I’ve confirmed it’s resolving to correct IP address of our public load balancer IP address. It’s been working fine for 2 years and it’s just begun to return these weird errors today. Not all the time, but very often. I just can’t understand why CF would be intercepting anything when on DNS only mode.
Hi. Yes we did. So CF must have changed the way certain things work in certain scenarios because as I’ve said already, we had been running fine for about 2 years until this week. We had the following setup:
This worked fine until Monday. Requests would alternate between being direct or being proxies, roughly 1 in 5 would proxy until all did by Wednesday.
My colleague in the end just tried creating a new A record to point to same IP and made this one DNSONLY and that finally fixed it. So it would seem the entire dns route has to be DNSONLY for it to work. This didn’t used to be the case.
Glad we weren’t the only ones bitten - was starting to think we were going insane. Every response from CF support was the same: fix your certificate, regardless of how many times we explained we wanted direct dns only - no proxy. Anyway, we will be keeping the new dns setup incase this is resolved and then breaks again.