Proxy disabled cause ssl issue

hy ! when i used proxy on in dns CNAME then the port 22 become disabled . when i off the proxy the ssl cert not works. and 1 more question how to change lets encrypt 3 month cert to 1 years

Cloudflare only proxies http(s) connections, not ssh (port 22).

If you want to use port 22, you should use a subdomain for that with proxy off.

You don’t.

when the proxy is off the ssl didnot work on website. recommend me the solution plz

I explained the solution in my previous post. Create a subdomain for SSH and turn proxy off for that.

You need to fix this. In order to secure communication between your server and Cloudflare, you need a valid certificate. It does not need to be a Let’s Encrypt certificate. You can use a commercial certificate or a free Cloudflare Origin CA certificate. Since the Cloudflare Origin certificate is only trusted by the Cloudflare proxy and not seen browsers, you can only use it with a proxied hostname.

1 Like

cloudflare spectrum can resolve proxy off and ssl cert problem? recommend me which plan can resolve ssh 22 port on and ssl cert works without proxy on .

You don’t need Spectrum to fix the invalid certificate on your origin host. In fact Spectrum cannot fix that. I would fix the issue with the automated Let’s Encrypt renewal. Switching to a Cloudflare Origin CA certificate is also a good option if you will have the proxy to be enabled on that hostname.

You can always ssh directly to the server IP or use an unproxied hostname in the same domain, or a different domain altogether. If you are using shared hosting, the server probably already has a hostname in another domain.

i am already using origin ssl cert . but ssl works on proxy on . when the proxy is on the ssh port 22 stops working.

You can make a new hostname in your Cloudflare DNS that points to the same IP. As long as you leave that new hostname set to :grey: DNS Only you can use it as your ssh destination.

i added a ip address but 2 subdomains cant register with same name . i added 1 is CNAME and other is A record.

You cannot use a CNAME where any other types of record exist (excepting DNSSEC). You also need to create a new name for your :grey: use with ssh.

If your domain is and you have that and www set to :orange:, you could add a new name of ssh (or anything that you want as long as it doesn’t already exist). Make sure that it is an A record using the same IP as your server and set it to :grey: .

1 Like

Hi There, I appreciate your time and efforts in helping me resolve this however my colleague and I are trying to set up an environment using cloudflare. We added a Cname Record (eg “testsftp) for a subdomain. then we added A record using (eg “testsftp1” for IP” ) however we dont want to use “testsftp1” to SSH. We would like to main name name and be able to access through the browser and SSH. Any work around or I can also purchase something that would assist in resolving this.

A back more background, I only have proxied on so the SSL would work in the browser. SSL I am using is origin Cloudflare (lets encrypt)…if changing those can resolve the issue then that would be great too.

I’m not sure how you managed that since Cloudflare won’t let you have a CNAME where the same name is in use and shouldn’t let you add an A record where a CNAME already exists.

I don’t understand the objection to using a different hostname for ssh, but you might want to if Cloudflare Zero Trust can meet your need.

Which one are you using? Cloudflare Origin CA certificates and Let’s Encrypt certificates are two completely different things.

I generated Origin Cert. and this is what it shows in browser.

how do I set up ssl for auto renewal? I dont see any options.

That is a Let’s Encrypt CA certificate and not a Cloudflare Origin CA certificate. It is perfectly fine, and while it technically is an origin certificate, since it is a certificate on your origin server, it is not a Cloudflare Origin CA certificate.

You don’t need to set anything up on the Cloudflare side. Certificates for proxied hostnames are renewed automatically by Cloudflare. Automatically renewing the Let’s Encrypt certificate on your server depends on how you created it and is out of scope for discussion here. Let’s Encrypt have their own Community that can help answer your questions about using their automated certificate authority.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.