Understanding CloudFlare DNS with MOSS.sh

Here is a previous issue that was solved in the Community:

I configured my 2nd server with an additional domain in the same manner, but DNS fails to flow. So what am I doing wrong here?

Please review my detailed configurations and MOSS.sh’s support response.

== My CloudFlare DNS Configurations and Validation ==

I created 2 new sites (swiftdigitalmarketinggroup.com & dev. swiftdigitalmarketinggroup.com) on MOSS.

I made sure the DNS Name Servers were changed at Registrar to point to the CloudFlare Name Servers and have confirmed DNS has propagated and the CloudFlare IP is appearing: 104.28.18.79

I only have 3 DNS Records entered at CloudFlare pointing to my Server IP Address: 104.225.218.61

A swiftdigitalmarketinggroup.com 104.225.218.61

cname www swiftdigtialmarketinggroup.com

cname dev swiftdigtialmarketinggroup.com

I installed WP (using MOSS’s install) and enabled Let’s Encrypt for HTTPS traffic.

At CloudFlare I ensured SSL was enabled and set for Full (strict) as instructed by CloudFlare Community member in the link at the top of this post. Again by setting my first domain (swiftpointcloud.com) to Full (strict) cleared the problem…but not this time. Why?

From my Windows PC I flushed my DNS Cache and can successfully NSLookup swiftdigtalmarketinggroup.com confirming it resolves to the CloudFlare public IP: 104.28.18.79

I have confirmed DNS propagated, but I can’t browse http://swiftdigitalmarketinggroup.comwithout getting the error below or attached.

When I browse or http://swiftdigtialmarketinggroup.com I get the following error:

This site can’t be reached

swiftdigtialmarketinggroup.com ’s server IP address could not be found.

ERR_NAME_NOT_RESOLVED

== MOSS.sh Support Response ==

Not all possible combinations of Moss/Cloudflare configs make sense. You can choose any of these combinations:

  1. Cloudflare Crypto: Off (not recommended) => choose None as the certificate in Moss

  2. Cloudflare Crypto: Flexible => choose None as the certificate in Moss

  3. Cloudflare Crypto: Full => provide Moss with a certificate for the site (it doesn’t need to be valid cert though, a self-signed one will work)

  4. Cloudflare Crypto: Full (strict) => provide Moss with a certificate for the site (it must be a valid cert, e.g. one you purchased for your domain or a Cloudflare’s Origin Certificate)

You could tell Moss to use Let’s Encrypt in cases 3-4, but then you must also take care to disable HTTP to HTTPS redirections in Cloudflare. Otherwise, Let’s Encrypt renewals won’t work. In general this setup is harder to troubleshoot, so I don’t encourage you to follow this path unless you know well how Cloudflare and Let’s Encrypt work and play together.

This is where (one of) the issues seems to be. There is no proper certificate configured but only a self-signed one. However, overall, your server does not seem to function very well at this point.

I would suggest you pause Cloudflare for the moment (bottom right on the Overview screen) and make sure your server properly works. Once that works you unpause Cloudflare.

I completed the recommended “pause” which I assume you mean like this?

However, still getting SSL Error

This is too vague " However, overall, your server does not seem to function very well at this point."

What exactly are you seeing that shows my site is not being properly served by the server?

If I disable CF as recommended, should I not see an HTTP version of the site?

If the server was not working properly, should I not see 400x or 500x Errors?

Also I have Attack Mode enabled and I am not seeing:

Under Attack Mode is active

Under Attack mode is used when a website is under a DDoS attack. All visitors will be shown an interstitial page for five seconds.

No, this is “development mode”, I was referring to pausing. Please re-read my sentence.

Also, of course you will still get an SSL error until you dont fix the certificate issue on your server.

Again I too vague…where do I “Pause CloudFlare” the only to setting that I see are:

Under Attack
Development Mode

I now see that Development Mode was switched off.

Sorry, but I am missing where in the Overview screen I can “Pause” CloudFlare.

Post a full page screenshot if you still cant find it.

BTW…I think the issue is similar to what I see here:

https://laracasts.com/discuss/channels/forge/unable-to-obtain-letsencrypt-ssl-cert-some-challenges-have-failed?page=1

I need to ensure the CF SSL setting are set to “Flexible” until CloudFlare browses the server and obtains the LetsEncrypt cert, and then enable for “Full (strict)”.

As I have mentioned before I was advised by Community Support to use “Full (strict)” for my other domain which is riding on the same host and configured using MOSS.sh which is managing the site stack Ngnix+Apache and LetsEncrypt.

I am tearing down the server now and rebuilding now, but I still need to understand how to “Pause” as you requested for troubleshooting in the future.

It is right there on your very screenshot -> bottom right.

As for your server SSL, all you need to do is configure a proper certificate. If you struggle with Lets Encrypt you might also want to consider a Cloudflare Origin certificate.

Sorry…I guess I was expecting a “switch” similar to the Under Attack & Development mode, not a tiny link
all the way at the bottom.

It might have helped if you would have directed me to:

Scroll all the way down and under Advanced Actions click the link “Pause Cloudflare on Site”

As for “struggling” with LetsEncrypt…MOSS makes it brute simple.
A simple click: https://drive.google.com/file/d/1iOaUyKz-pDwSrWyJMnX2F_1YLFJOFZqW/view?usp=sharing

Again, what probably happened is the SSL setting in CF were too high by default to allow the server to communicate so CF could obtain the cert.

So I just rebuit the server in MOSS ensuring Let’sEncrypt was not enabled and will set CF SSL to Flexible which should allow me to browse to HTTP traffic to confirm the site is reachable from CF.

So… here’s how I solved this issue, hopefully I can save others using CF & MOSS.sh a $hit ton of chase time.

Created a new site on MOSS.sh for the domain having SSL resolution issues

Installed WP Using MOSS.sh

Did not Enable LetsEncrypt

Installed Sever Stack: Nginx+Apache

Set CF SSL Setting to Flexible and waited 10mins allowing plenty of time for changes to take effect

Confirmed HTTP is browsable for the site

Went to Site > Domain > Clicked “Lock” icon

Enabled LetsEncrypt and let MOSS.sh update the certificate

HTTPS was NOT browsable for the site

Set CF SSL Setting to Full and waited 10mins allowing plenty of time for changes to take effect
This is the expected CF SSL setting as LetsEncrypt is a Self-Signed Certificate per the
CF SSL/TSL screen: Full Encrypts end-to-end, using a self signed certificate on the server

HTTPS is NOW browsable for the site

== Lessons Learned ==

In CloudFlare ensure your SSL is set to Flexible once you change the Authoritative DNS and set your A record in CloudFlare.

Setup your Site on MOSS.sh, ensuring you Do Not Enable LetsEncrypt as part of your setup.

Give CloudFlare 5-10 mins before you attempt to browse your site using HTTP to confirm the server is
serving up your site.

Now, go back to CloudFlare and change your SSL/TLS settings from Flexible to Full and wait 5-10
minutes for changes to take effect.

While waiting for the SSL changes, go to MOSS.sh and Enable LetsEncrypt for your server.

Once 5-10mins have passed, now browse to your site using HTTPS and you should see it serving
your site as HTTPS

An Origin certificate might still be the easier path :slight_smile: