Domain through DNS-only OK, but not proxied

blurb2m · February 19, 2021, 7:24am

I have my domain through domain.com and have changed my NS over to the two provided by cloudflare.
I am able to gray cloud access my CNAME records for subdomains through https (it shows not secure) but I can see the page content.
If I turn on proxied (orange cloud) in DNS, I receive a 522 error and I see no incoming connections from cloudflare.
I ran the diagnostics on cloudflare of one of the CNAME records that I can access via DNS-only. I turned it onto proxied prior to running the test.

Check nameservers: Looking good!
Check DNSSEC config: no_dnssec_found
Check DS record: not_found_ds_record
Check if connecting to domain com works: Looking good!
Check if connecting to www domain com works: Looking good!
No MX record
Check for redirect loop: request_failed
HTTPS status: fail
Redirecting unencrypted HTTP traffic: request_failed
Check the status of encrypted traffic: Looking good!
Mixed content: request_failed
Check site speed (TTFB): request_failed

Any help would be greatly appreciated!

sdayman · February 19, 2021, 4:04pm

What does your CNAME point to? Something else in your own domain? Or is it outside your domain?

blurb2m · February 19, 2021, 4:14pm

The CNAME records (subdomains) point back to the main domain.
CNAME record: Name - nextcloud | Content - maindomain.com | Proxy status - Proxied
A record: Name - maindomain.com | Content - IPv4 address | Proxy status - Proxied
Both of these result in 522 error.

CNAME record: Name - ombi | Content - maindomain.com | Proxy status - DNS only
This one lets me through with other configuration left the same. (but with cert not secure error that i click proceed anyway)

sdayman · February 19, 2021, 4:19pm

A far as those diagnostics, those align with what you’re seeing. DNSSEC can be ignored, as you most likely don’t have that enabled. The rest is just because of the 522.

I’m quite sure Cloudflare is still trying to reach your server. Which logs are you checking?

Since it’s NextCloud, are those subdomains on its trusted domain list?

blurb2m · February 19, 2021, 4:23pm

Nextcloud was just an example. I have tried my grocy, sonarr, radarr, tautulli docker containers. DNS only “OK”, proxied through cloudflare and crickets.
I run an untangle router/firewall and I was monitoring every incoming session for anything over 443. DNS entries are port forwarded just fine to my Traefik container over 443, but no entries/records when cloudflare proxy is used.

Tried reaching out to Verizon FiOS last night to see if they are blocking any CF IPs but they were rather useless. I am not sure if there is a way for me to check.

blurb2m · February 20, 2021, 8:05pm

It was definitely something with my certificates. I switched over to NginxProxyManager and utilized their DNS Challenge to hit cloudflare and that seems to have fixed it.