Letsencrypt, nodeJS and cloudflare

  1. i have nodeJS server (no apache or nginx)
  2. i am using cloudflare services
  3. i needed to turn of cloudflare in order to install letsEncrypt
  4. i successfully installed letsEncrypt
  5. when i tuned on cloudflare, it gave me an error 521 (or 502)

i turned off my firewall

after ‘curl https://my_server_ip -v’ also error SSL: certificate subject name does not match target host name
if only using http ‘curl http://my_server_ip -v’ also error Failed to connect to ‘my_server_ip’ Connection refused

what i am doing wrong or what doing wrong? if you need more info please ask

“521 Origin Down”
Means CloudFlare can’t connect to your original content server (IP x.y.x.q ?)

When you installed LE, did you also switch your nodeJS server from HTTP to HTTPS? YES.
Do your firewall rules allow for port 443 access? YES.
This proves both of the above (given your domain is “your.fqdn” and your original server IP is “x.y.z.q”:
openssl s_client -connect x.y.z.q:443 -servername your.fqdn
which provides a brand newish cert:

So now to your question:
“What i am doing wrong?”
The only thing I can find missing in your plan would be in how CloudFlare connects to your server (probably via HTTP); which hasn’t been modified to reflect the changes you have made:
You have blocked/rejected port 80 on the firewall or stopped servicing on it in the nodeJS config “Connecting to x.y.z.q:80… failed: Connection refused.” and are now only allowing port 443.
So just change CloudFlare to connect to your server via HTTPS and all should be good.

[edit - all the cool stuff was redacted by request]

hi @galvakojis

A) You should really provide your domain name so others can test
B) Have a look at cloudflare and let's Encrypt configuration below

Also useful is an article i wrote about how to setup cloudflare automated DNS for issuing certificates:



I have confirmed that the challenge is between cloudflare and your origin server. if you read the article it explains how to reduce the strict mode or how to disable cloudflare proxying

I did some checking based on the information you gave me and the let’s encrypt certificate on your origin server is fine

I think your issue is that your origin web server is not running and is returning 404


The original server appears to be running HTTPS with a valid cert but is definitely having issues.


1. HTTPS requests through CloudFlare “fail” with 521:
wget https://g******t.com/
–2017-10-06 20:45:53-- https://g******t.com/
Resolving g******t.com (g******t.com)… 1x.y.z.q7, 1x.y.z.w7, 2x:y:z:e:f:g:b3, …
Connecting to g******t.com (g******t.com)|1x.y.z.q7|:443… connected.
HTTP request sent, awaiting response… 521 Origin Down
2017-10-06 20:45:53 ERROR 521: Origin Down.

2. HTTPS requests directly to origin server “fail” with 404:
wget https://g******t.com/
–2017-10-06 20:43:38-- https://g******t.com/
Resolving g******t.com (g******t.com)… 6x.y.z.q2
Connecting to g******t.com (g******t.com)|6x.y.z.q2|:443… connected.
HTTP request sent, awaiting response… 404 Not Found
2017-10-06 20:43:38 ERROR 404: Not Found.

3. HTTP requests directly to origin server “fail” with connection refused:
wget http://g******t.com/
–2017-10-06 20:40:07-- http://g******t.com/
Resolving g******t.com (g******t.com)… 6x.y.z.q2
Connecting to g******t.com (g******t.com)|6x.y.z.q2|:80… failed: Connection refused.

So I’m thinking CloudFlare is seeing “connection refused” (using HTTP) and replying with “Origin Down”.
Because if they saw 404 they would reply with 404.

[edit] tests repeated with same outcome using something more obvious https://g******t.com/not/a/real/file.txt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.