TLS error while using tunnel for ssh and other services

I’m trying to create a tunnel for using SSH. Followed this doc:
https://developers.cloudflare.com/cloudflare-one/tutorials/ssh

The cloudflared service at server seems to be running fine.
However when I am trying to connect ssh from a second machine. I’m getting this error:

$ ssh myapp.example.com
2022-01-27T06:00:51Z ERR failed to connect to origin error="remote error: tls: handshake failure" originURL=https://myapp.example.com
remote error: tls: handshake failure
kex_exchange_identification: Connection closed by remote host

EDIT:
The domain used was like sub2.sub1.domain.com

1 Like

Did you miss this step?

https://developers.cloudflare.com/cloudflare-one/tutorials/ssh#connect-from-a-client-machine

@erictung
I already configured that on my client machine:

~/.ssh/config

Host myapp.example.com
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

Did you see anything in your Cloudflare firewall events?

It all shows blank to me:

No, not this one.

https://dash.cloudflare.com/?to=/:account/:zone/firewall

A couple tips:

2 Likes

@erictung
The firewall shows no activity

@nuno.diegues
SSL Mode: I’ve tried by changing it to Full and Flexible modes.
WebSockets: Already enabled
Super Bot Fight Mode: Not using that.

Figured it out.
I was using 2 level of subdomain to test like:
sub2.sub1.domain.com
and Cloudflare is failing on SSL for that. It’s working only for 1 level of subdomain like this:
sub1.domain.com

4 Likes

Hi, I met same problem for same reason, and resolved above.
I think it should be documented (or fixed if it could). @nuno.diegues

@nuno.diegues
I would suggest to add this to document clearly as @kyontan said (Or provide support for more level subdomains).
This might be an issue for a lot more people around.

1 Like

Was there anything in the cloudflared tunnel logs/output that made you understand that?

How did you figure it out?

Thank you for posting this! I was pulling my hair out! No way I would have figured this out in my current lifetime.

Could not find any logs. Had to go blind. Hit and try.

OMG. Thank you so much for this post. I was losing all my hair trying to figure out what was going on. Absolutely upvote the suggestion to add this to the documents or multilevel support.