Cloudflare zerotrust tunnel and Lets encrypt

Help
1

My domain is: server.sokserver.eu

Hello please help me

I have a nextcloud running on my local server runnig ubuntu 24.04. i can access the nextcloud throught domain server.sokserver.eu.

I setup Zerotrust tunnel and installed cloudflared on ubuntu 24.04. Everthing worked fine until i installed Lets encrypt.

Now i cannot access nextcloud from domain server.sokserver.eu on other computers.

i used this command in terminal to acquire the certificate
sudo certbot --apache

Now i can not access nextcloud thrught domain server.sokserver.eu

2

What is the problem? Does your browser warn of excessive redirects?

Because your system is configured to cause a redirect loop. Notice

curl -i https://server.sokserver.eu/
HTTP/2 301
date: Sun, 14 Sep 2025 17:33:00 GMT
content-type: text/html; charset=iso-8859-1
location: https://server.sokserver.eu/
server: cloudflare

Notice the "location" is the same as the URL requested which will never complete.

I am not expert with the Cloudflare tunnel but it looks like you have your domain proxied with them. It might be related to your Encryption Mode setting. What is it?

Frankly, this seems perhaps a better question to sort out at the Cloudflare community. You already have your Let's Encrypt cert so it's a matter of configuring Cloudflare (and perhaps Apache) to use it properly

3 Likes
3

Didn't cloudflare handle that for you?

Did you tunnel http (layer 7) or did you tunnel ports 80/443 as plain TCP ports on layer 4?

4

This is classic "Flexible SSL" setting issue. Go to https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/configuration and change the setting to "Full" or "Full Strict".

Cloudflare tunnel is pointing at HTTP port 80 on the Apache server, but it has been configured by Certbot to do redirection to HTTPS. The issue is, tunnel is proxying HTTPS on the edge back to HTTP on the origin, therefore infinite loop. The solution is to re-configure tunnel to point at HTTPS port 443 (optionally setting "No TLS Verify", if no valid cert on the server, but not needed here since a valid Let's Encrypt cert exists).

2 Likes
5

That I noticed.

But, if you tunnel http you have no reason to get a certificate, cloudflare will. If you tunnel 443/tcp, then it's a different situation altogether.

1 Like
6

It's also possible to use Origin CA certificate to maintain trust chain for the purpose of proxying via a CDN, which can be useful in instances of no automation possible (they can be valid up to 15 years, but only Cloudflare Edge trusts them).

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.