An appropriate certificate has been configured for the last few days.
Attached are:
- images of the certificate from cloudflare config screen
- images of the certificate as served by cloudflare to my browser when delivering the 522 error response
As far as I can tell this is configured correctly.
Please note we have been operating a server in upowr.cloud domain called www.umbriel.upowr.cloud and we have been using advanced certificates exactly as described wit that domain without issue.
The only thing that has changed recently is that we created a new domain called
wattlepowr.com.au
*.unicorn.wattlepowr.com.au
and pointed new cloudflare cname (www.unicorn.wattlepowr.com.au) to the existing, (mostly) unchanged, previously working origin server (www.umbriel.upowr.net)
The cloudflare proxies in .upowr.cloud can still contact www.umbriel.upowr.net (via www.umbriel.upowr.cloud) and their is solid evidence of their presence in our networks when we attempt to use them (in the AWS VPC logs show us this).
The exact same tests pointed at the exact same origin server with the new public name (www.unicorn.wattlepowr.com.au) fail with 522 errors and there is ZERO EVIDENCE that cloudflare sends even so much as a TCP SYN packet let alone a full TLS handshake.
Please let me know if there is some subtlety with advanced certificate manager that I may have overlooked. Note that all our deployment processes are automated (with terraform) so there is very little room for manual error in setting up with the cloud records or certificate packs.