DNS will not resolve to IPv4

Honestly I don’t know why I mapped it to port 80, just out of convenience. But I also tried starting a php server on 443 internally and that still did not work.

Thats definitly possible if you dont need to rewrite to HTTPS on your Origin which is the case because you use the always HTTPs Setting in Cloudflare.

They are doing this when the Setting is enabled. So the Problem needs to be somewhere else.

Do you mind to share your Domain with us?

The only thing that seems to connect to the server is sending a plain http request to port 443. It makes the connection to the server but is rejected because it is just http and not https. Maybe this is a clue?

I also changed the internal port to 443. It has nothing to do internally because I determined that it works. But cloudflare cannot connect to the site externally.

What are your SSL Settings in Cloudflare under SSL/TLS in your Dashboard? Can you post a Screenshot of them maybe

Your Cloudflare SSL Settings are alright. Cloudflare should not try to connect per HTTP when your Security Setting is Full. On Full Cloudflare only connects per HTTPS.

When you connect directly to your IP with Port 443 its working right?

yes if i do http://ip:443 that is plain of course. And when I do https://ip it shows the ssl error because I dont have a cert directly on the ip address. So it seems to be working.

curl -I trixdev.xyz
HTTP/1.1 301 Moved Permanently
Date: Sat, 06 Mar 2021 18:26:32 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 06 Mar 2021 19:26:32 GMT
Location: https://trixdev.xyz/
cf-request-id: 08aa6399df00004d898820c000000001
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=JLFlw8x1kIg8hWTHithDLdJ%2BS2kJ4KzE5VwTbR9v1Z9%2F1SsrFOANEB2i2Ysj5zrKB2XZ1MfDfFvJ74lW4s1s77F24i0%2FWaoWuRM%2Bkw%3D%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
CF-RAY: 62bda2096cbd4d89-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
curl -I https://www.trixdev.xyz
HTTP/2 525
date: Sat, 06 Mar 2021 18:26:48 GMT
content-type: text/html
set-cookie: __cfduid=d10d9d078d6ad69373f5adb0039d997181615055207; expires=Mon, 05-Apr-21 18:26:47 GMT; path=/; domain=.trixdev.xyz; HttpOnly; SameSite=Lax; Secure
cache-control: no-store, no-cache
cf-request-id: 08aa63d59d000016e6c2b83000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=gtsTbvLnSKGIx3hbhBsvXwxUDVSrOy1QEMOEUkGZ5ySXakE0u4RMO4B6DCeKZc1rBhdMeqGate2uoSSes8JlYJWgcERtX%2BNY4HkgjXhNWoE%3D"}],"max_age":604800}
nel: {"max_age":604800,"report_to":"cf-nel"}
server: cloudflare
cf-ray: 62bda268fde416e6-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Kindly folow the steps as written here:

curl -I https://trixdev.xyz
HTTP/2 522
date: Sat, 06 Mar 2021 18:28:35 GMT
content-type: text/html
set-cookie: __cfduid=d145e9173b3845e1eb2c5866da220c40c1615055284; expires=Mon, 05-Apr-21 18:28:04 GMT; path=/; domain=.trixdev.xyz; HttpOnly; SameSite=Lax; Secure
cache-control: no-store, no-cache
cf-request-id: 08aa65027300004e078608c000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LUVJ%2FpmNjGg4uSEke%2FddNz5YhnqP%2FnHc3P5WliaXwH2wgRPrQNxyGVJeai8SnhyTfsYClMGx1QhM7cz4PeFZtpcWeoZZa6qi5T6C8A%3D%3D"}]}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 62bda44a5e1f4e07-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

[email protected]:~ curl -svo /dev/null https://trixdev.xyz --connect-to ::ip 2>&1 | egrep -v "^{.*|^}.*|^* http.*"

  • Connecting to hostname: ip
  • Trying ip:443…
  • TCP_NODELAY set
  • Connected to ip (ip) port 443 (#0)
  • ALPN, offering h2
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  • Closing connection 0

the guide says I should disable tls 1.3 but I just tested all tls versions and all fail with the wrong version number error

Can you check if you have ca-certificates installed and updated?

What is your web server config file looking like?
You said you proxy something to somewhere? What proxy ssl protocols have you enabled?
Is your app listening on https 443 port?
443 to 80 or vice-versa?

Exposing port 443 to public should fix this issue.

This error usually occurs if you attempt to connect to something that isn’t using SSL/TLS.

What’s the openssl version you have on the client machine?

What is your output of running openssl version -a and which openssl ?

What Web server are you running? Apache or Nginx?

As far as running Apache Web server, have you check if the port 443 and 80 are open at your origin?

sudo netstat -tulpn | grep :80
sudo netstat -tulpn | grep :443 or sudo lsof -i tcp:443

Moreover, Apache, so have you got ssl_module loaded correctly and installed?
/etc/httpd/conf.d or ssl.conf :

LoadModule ssl_module modules/mod_ssl.so
Listen 443

What happens when you temporarly disable Cloudflare? (Pause or put to Development mode or make :orange: records to :grey:)

It looks like there’s something wrong with your server configuration, OpenSSL or something like that.
What PHP version you have?

The ports are both listening for apache. Here is the configuration file for port 443. Port 80 is above it out of view.

You dont have SSL Enabled for Port 443

Your Port 443 Vhost Need to look something like this:

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /root/ssl/domain-name.crt
SSLCertificateKeyFile /root/ssl/domain-name.key

ServerAdmin [email protected]
ServerName localhost

DocumentRoot /var/www/domain-name/

So you need to add

SSLEngine on
SSLCertificateFile /root/ssl/domain-name.crt
SSLCertificateKeyFile /root/ssl/domain-name.key

Of course you need to replace the Path with the Paths to the correct Files on your Server

1 Like

And to be sure that SSL is loaded correctly execute “a2enmod ssl” in your Console then restart your Apache2 Server and make sure that the File “etc/apache2/ports.conf” looks like this:

2 Likes

Good to know that this fixed it :smiley:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.