Help me understand why the domain is not pointing to the A record setup

I’ve setup a vm on Google Cloud Platform with access via https and a static ip address ( I added an A record in the DNS zone that point to that machine, where I have a Ghost server active and the relative port open. My ns are correctly setup, but when I ping the domain I get a different ip from the one it should point to. apparently, this is a cloudflare ip (

this prevents me to install an SSL certificate on the VM. and additionally I can’t reach the website nor via http nor via https.

anyone can help understand why the domain is not pointing to the A record?
(or if it’s not an issue related to cloudflare?)


That’s due to the fact you’ve turned on the proxying via Cloudflare :smiley:.

This means you can use Cloudflares SSL services for free as well have the CDN caching layer applied to your domain.

This is also why you can’t ping your servers address via that DNS entry. To go direct to the server and bypass Cloudflare simply remove flick off the toggle.
(but I’d recommend you set your new blog up with Cloudflare Infront of it )

Considering you still need an SSL certificate on your server it’s not much of a service, though :slight_smile:


I mean they could deploy an SSL Cert (CF or 3rd party) but flexible would encrypt it without an SSL on the server end :slight_smile:

100% recommend putting an origin on the server end.

Somewhat an oxymoron :slight_smile:

But seriously, yeah, you do need a certificate on the server as well. The F word is not much liked 'round here :smile:


I agree :stuck_out_tongue:.

I remove the proxy thick but still I can’t reach the server.

Additionally, I set the SSL to full and reverted the proxy this to yes, as I want it to be. Still, impossibile to reach the domain and now I get an SSL error not specified :frowning:


Should be Full Strict, otherwise you have a security issue.

I thought full strict was for when using cloudflare certificate, and that let’sencrypt requires full since it’s not a CA (or something similar).

I set it to full strict, no more ssl error, still can’t reach the website: we server is down, error 521. But the server is up and running at port 2368

Not at all. Both, a public CA and an Origin certificate, are perfectly fine for Full Strict.

That won’t work at all. You’ll need one of the supported ports or use a paid tool (e.g. a Worker or PortZilla) to change port.