SSL Mismatch when using Cloudflare proxy & Traefik

I use Traefik as a reverse proxy on my Docker Swarm where it generates Let’s Encrypt certs for any of the domains behind it. I have http challenge enabled.

I have Cloudflare as my DNS, and while the Cloudflare proxy is off, I can spin up my site and reach it. It seems the certs are generated properly.

The issue comes when I turn on the Cloudflare proxy. There are two situations where the Cloudflare proxy is causing issues.

  1. When I turn it on, in the immediate term, I can still reach my site even with different browsers. I cannot reach it maybe a day later and I don’t understand why that is the case. I will eventually get: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  2. When I turn it on, and then spin up Traefik on my VM. I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH again.

I’m having trouble debugging this situation because I lack some knowledge on how this whole process works. I think the SSL certs were based on the domain so why doesn’t it work behind a Cloudflare proxy? And how would I make it work? And why doesn’t it work when I have the Cloudflare proxy turned on?

Situation 1

  1. Spin up Traefik
  2. Turn on Cloudflare proxy
  3. Reach the site

Situation 2

  1. Turn on Cloudflare proxy
  2. Spin up Traefik
  3. Reach the site

Screenshot_020918_014626_AM

This is what is in the logs: 2018-02-09T06:48:54.824922470Z proxy_traefik.1.xkj1e6exc2v6@staging-manager1 | 10.255.0.2 - - [09/Feb/2018:06:48:54 +0000] “GET /api/providers HTTP/2.0” 200 1427 “https://traefik.staging.example.com/dashboard/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299” 97 “Host-traefik-staging-example-com-1” “http://10.0.0.58:8080” 0ms

And same error happens with Situation 1 if I leave Cloudflare proxy on over night.

For anyone who runs into this issue. I think this has to do with being on the Free plan and not being able to use the proxy on domains two levels up. For example traefik.staging.example.com will not work but traefik.example.com should.

1 Like

Are you sure you have Universal SSL enabled for that domain?

Can you show a Cloudflare-issued certificate on crt.sh for your domain?

The story sounds like you have it disabled and that when the DNS eventually propagates to point to the Cloudflare proxy, it stops working because Cloudflare doesn’t have a certificate for that name.

It’s super hard to reason about without knowing the domain, though.

That seems to be correct - according to https://support.cloudflare.com/hc/en-us/articles/200170566-Why-isn-t-SSL-working-for-my-site-

Cloudflare-issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com). If you're attempting to access a second level of subdomains (eg- ..example.com) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 (sic) error will be seen in the browser as these host names are not present on the certificate. If you need to have SSL working for these type of host names you would either need to purchase a Dedicated Certificate with Custom Hostnames through Cloudflare, purchase your own SSL cert and upload it to us as a Custom SSL Certificate or grey-cloud this DNS record so the traffic goes directly to your origin server.

Unfortunately I don't think the option to upload your own certificate is available on Cloudflare's free plan.

@_az the domain can be inferred from the log message :wink: though it's currently serving a Let's Encrypt cert from a Dreamhost IP so I guess Cloudflare is disabled. But e.g. crt.sh | 324141778 you can see the wildcard won't cover the sub-subdomain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.