Hello. I have what I believe is a potentially-serious bug report for Cloudflare. I cannot submit it to the normal support channels becuase I am on the free tier. I attempted to write it up and post it here. But I get repeatedly “An error occurred: Sorry, new users can only put 4 links in a post”. (It said this although the post contained only 3 links and an image, and it continued showing the “4 links” error even when I reduced to 2 links and no image.) Since I do not understand why my post is being barred, here is the post as a github gist:
This document claims under “Edge Certificates” there is a setting “Always Use HTTPS” which can be toggled. But I do not find this setting on the Edge Certificates page
You should see it once you change your SSL/TLS mode to anything other than OFF.
If whoever is looking at this needs me to “leave it broken” until it can be investigated, they should please say something before like tuesday or there’s a risk I might start changing my configuration for other reasons.
Have you enabled HTTP/3 on the Network tab of the dashboard? I believe enabling H3 is the trigger to add the SVCB records that are causing your problem.
I tried turning off HTTP/3 about 24 hours ago as michael suggested. If I am reading https://www.nslookup.io/domains/dryad.technology/dns-records/https/ correctly the DNS records are on a 5 minute timeout, but even after 24 hours they are still serving the “HTTPS” record which causes chrome to force an upgrade to https. The Chrome failure is still present. So it looks like HTTP-RR/SVCB persists after HTTP3 is disabled (even though as far as I know you’re right, it is HTTP3 that HTTP-RR is meant to enable).
Is there a specific usecase you would be willing to share, either here or in the ticket, where using HTTP is required? If not that is no problem.
At the time I set this site up (7 years ago) there was a problem at the Amazon S3 side which blocked me from using HTTPS. I believe that is no longer a problem and I want to move to HTTPS. However before I did so I wanted to report what I perceive as a problem at your end (when a site is set intentionally to HTTP-only mode, Cloudflare is setting DNS records that would make an HTTP-only site inaccessible from current Chrome). If this is a WONTFIX then I don’t need any other help. But I recommend it should be fixed at your end (at least in the form of a warning in the https overview pane).
If you don’t want to support HTTP anymore that’s fine, probably it’s even a good decision. But your interface offers an HTTP-only feature and right now, with default settings, that feature doesn’t work (in Chrome).
This looks like a permanent step, and as described above I soon plan to migrate to HTTPS, so I will refrain from trying this. If this is the way to make Cloudflare DNS stop advertising the “HTTPS” record, then I guess this answers my question, but maybe it should be clearer in your documentation this step (“disable universal ssl”) is now mandatory rather than optional for SSL/TLS Off setting. I did previously think it was a nice feature there was a signed https site redirecting to the http site though.
I have relayed the above on ticket #2786037 as well. Thanks again.
