Answer these questions to help the Community help you with Security questions.
What is the domain name?
Have you searched for an answer?
Yes But I couldn’t find any accurate/precise answer.
When you tested your domain, what were the results?
This site can’t provide a secure connectionraspberrypi.amirulandalib.eu.org uses an unsupported protocol.
The client and server don't support a common SSL protocol version or cipher suite.
Describe the issue you are having:
What error message or number are you receiving?
What steps have you taken to resolve the issue?
It works fine with dns proxied switched to off and works with https aswell. But when turning on proxied dns switch, my website goes dark.
Was the site working with SSL prior to adding it to Cloudflare?
No, the main reason for turning on proxied dns is to hide my main IP from being leaked, so when I enable proxied on DNS, it shows me the following error
Have you tried from another browser and/or incognito mode?
Yes Did, its same, clearing cache didn’t help.
raspberrypi.amirulandalib.eu.org should be covered by your Universal Certificate. According to crt.sh | amirulandalib.eu.org about 6-7 hours ago you got issued a certificate that looks like your Universal, and it looks like it was renewed far after when the last Universal-looking cert would have expired, do you still see this warning & issue with that proxied domain?
If so, in your Cloudflare Dashboard, inside of your domain, under SSL/TLS → Edge Certificates (Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates), at the top under Edge Certificates, what’s the status of your Universal Certificate?
thank you, I got the ssl and it works perfectly with origin certificates, but after switching to proxied DNS this time, I cant access other ports say plex or adguardhome at port 3000, 32400 etc. It doesn’t load at all. Previously it used to redirect to HTTP and loads the page just fine.
Cloudflare only supports specific ports: Network ports · Cloudflare Fundamentals docs
You can sort of work around this with Origin Rules and separate subdomains, i.e if you have adguard.example.com, you can create an origin rule
adguard.example.com, dest. port overwrite to port 32400, and you would access it normally on port 443 (https://adguard.example.com).
You could essentially achieve the same with Cloudflare Tunnels as well, which run a daemon/service on your local machine that connects back to Cloudflare, this gets rid of the need for you to port forward/open firewall ports, no need to use dynamic DNS, etc, might be worth looking into, I use it for everything private I self-host at home personally: Via the dashboard · Cloudflare Zero Trust docs
so can I use it for free? I will use two redirects. One for plex port 32400 and one for adguardhome, but its port 53 udp and not a WebUi sort of a DNS proxy or whatsoever. The domain would be like adguardhome.raspberrypi
It’s not going to work for non-http protocols, nothing will with Cloudflare’s normal proxy. You would have to use something like Spectrum (and you’d need Enterprise for Arbitrary UDP for DNS), or WARP Private Networking for UDP (each client would have to install and run, not sure that would really work for DNS since you’d need something to “bootstrap” you to resolve all of the WARP stuff first)
Plex is kind of a gray case too because of the TOS (Goodbye, section 2.8 and hello to Cloudflare’s new terms of service), although realistically you would “probably” be fine for small home/single user use, it’s not recommended. I would leave both unproxied, and
adguardhome.raspberrypi.amirulandalib.eu.org is too deep to be covered by the default Universal Certificate anyway, it issues a single wildcard certificate, and those only work on first level subdomains like
the remaining choice we have is cloudflare tunnels?
Sorry if I was unclear, Tunnels wouldn’t solve either of those issues, they still just use the normal proxy/cdn which doesn’t support anything but HTTP, and are subject to the cdn terms.
I would just use two separate subdomains for adguard dns and plex and keep them unproxied, like you have now I believe, and you can proxy/protect everything else.
leaving it unproxied will expose the host IP on record right?