TLS error while using tunnel for ssh and other services

shivamb · January 27, 2022, 7:58am

I’m trying to create a tunnel for using SSH. Followed this doc:
https://developers.cloudflare.com/cloudflare-one/tutorials/ssh

The cloudflared service at server seems to be running fine.
However when I am trying to connect ssh from a second machine. I’m getting this error:

$ ssh myapp.example.com
2022-01-27T06:00:51Z ERR failed to connect to origin error="remote error: tls: handshake failure" originURL=https://myapp.example.com
remote error: tls: handshake failure
kex_exchange_identification: Connection closed by remote host

EDIT:
The domain used was like sub2.sub1.domain.com

erictung · January 27, 2022, 8:06am

Did you miss this step?

https://developers.cloudflare.com/cloudflare-one/tutorials/ssh#connect-from-a-client-machine

shivamb · January 27, 2022, 8:20am

@erictung
I already configured that on my client machine:

~/.ssh/config

Host myapp.example.com
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

erictung · January 27, 2022, 8:22am

Did you see anything in your Cloudflare firewall events?

shivamb · January 27, 2022, 8:28am

It all shows blank to me:

erictung · January 27, 2022, 8:30am

No, not this one.

https://dash.cloudflare.com/?to=/:account/:zone/firewall

nuno.diegues · January 27, 2022, 8:57am

A couple tips:

check your zone’s SSL config: https://developers.cloudflare.com/cloudflare-one/faq/cloudflare-tunnels-faq/#check-ssltls-encryption-mode
check your zone’s websocket config (the cloudflared access ssh command is wrapping the TCP traffic into websocket to funnel it via the CDN-L7 stack of Cloudflare): https://developers.cloudflare.com/cloudflare-one/faq/teams-troubleshooting/#cloudflared-access-shows-an-error-websocket-bad-handshake

shivamb · January 27, 2022, 3:44pm

@erictung
The firewall shows no activity

shivamb · January 27, 2022, 4:15pm

@nuno.diegues
SSL Mode: I’ve tried by changing it to Full and Flexible modes.
WebSockets: Already enabled
Super Bot Fight Mode: Not using that.

shivamb · January 28, 2022, 2:56pm

Figured it out.
I was using 2 level of subdomain to test like:
sub2.sub1.domain.com
and Cloudflare is failing on SSL for that. It’s working only for 1 level of subdomain like this:
sub1.domain.com

kyontan · February 5, 2022, 6:59pm

Hi, I met same problem for same reason, and resolved above.
I think it should be documented (or fixed if it could). @nuno.diegues

shivamb · February 6, 2022, 5:52am

@nuno.diegues
I would suggest to add this to document clearly as @kyontan said (Or provide support for more level subdomains).
This might be an issue for a lot more people around.

nuno.diegues · February 7, 2022, 8:36am

Was there anything in the cloudflared tunnel logs/output that made you understand that?

How did you figure it out?

danorton · April 27, 2022, 1:22am

Thank you for posting this! I was pulling my hair out! No way I would have figured this out in my current lifetime.

shivamb · April 27, 2022, 4:54am

Could not find any logs. Had to go blind. Hit and try.

fabricio1 · May 20, 2022, 2:29pm

OMG. Thank you so much for this post. I was losing all my hair trying to figure out what was going on. Absolutely upvote the suggestion to add this to the documents or multilevel support.