ERR failed to connect to origin error="remote error: tls: handshake failure" originURL=

I am experiencing a problem with Cloudflare Access (client machine) while attempting to connect through RDP. I am running my console as an admin - I have tried both cmd and ps7.

On my client machine (the machine from which I want to connect):

  • I create the websocket listener with: cloudflared access rdp --hostname --url rdp://localhost:4489
  • It responds with: INF Start Websocket listener host=localhost:4489
  • I attempt to connect with Microsoft’s Remote Desktop Connection: localhost:4489

I never see a web login that others speak of. Instead, I see this error message in the console:

 ERR failed to connect to origin error="remote error: tls: handshake failure" originURL=


  1. I can ping from the client and the server, and it returns the same IPv6 address.
  2. The tunnel status is Healthy.
  3. Nothing appears when streaming the live logs under the tunnels > tunnel name > connector ID > connector diagnostics.
  4. The client (laptop) is connected via my phone’s hotspot.
  5. When I connect the client (laptop) to my home network, I can RDP fine to the server (using the actual IP).
  6. I purchased this domain an hour ago as I struggled the entire day with the error: ERR failed to connect to origin error="dial tcp: lookup no such host" originURL= I discovered that, even though my domain was in my Cloudflare portal, I no longer owned it.
  7. I can resolve the A and CNAME records of on both my client and the RDP server.
  8. If I browse with Firefox to, I get this error message: Secure Connection Failed: An error occurred during a connection to Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
  9. My domain is a full setup (Cloudflare nameservers)

Thank you for your help in advance,

EDIT1: I believe I am currently awaiting the addition of Edge certificates. I presume that within 24 hours, I should see the active certificates, not just the backup ones.

However, should I not see “Pending” for the non-backup certificates? I have set all my proxied dns records to unproxied because of this tip in this article: Keep DNS records unproxied until your certificate is active.

EDIT2: I followed the first two steps and the certificate appeared and became active within a few minutes

To resolve timeout issues, try one or more of the following options:

  • Change the Proxy status of related DNS records to DNS only (gray-clouded) and wait at least a minute. Then, change the Proxy status back to Proxied (orange-clouded).
  • Disable Universal SSL and wait at least a minute. Then, re-enable Universal SSL.
  • Send a PATCH request to the validation endpoint using the same DCV method (API only).
  • Follow the APEX validation method.

EDIT3: Problem solved, effectively from EDIT2 and #6 above.