Want to subscribe to topics you're interested in?
Become a Member

SSL Cloudflare Almalinux Cloudflare SSL issue

Discussion in 'Domains, DNS, Email & SSL Certificates' started by fly, Mar 7, 2024.

  1. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    8:11 AM
    @eva2000 I'm not sure this warrants a whole thread because I think I'm missing something completely obvious...

    I just built an Alma 8 server and freshly installed Centmin 130. Everything works fine (other than a self signed cert error) when going directly to the server. Once I turn on the Cloudflare DNS proxy, it says the origin server timed out. I'm running Cloudflare SSL as Full not Strict, so it shouldn't care about the self signed cert. But that's not even the error anyway.

    What dumb thing did I miss?

     
  2. eva2000

    eva2000 Administrator Staff Member

    51,726
    11,944
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,436
    Local Time:
    10:11 PM
    Nginx 1.25.x
    MariaDB 10.x
    How was Nginx HTTPS vhost created? centmin.sh menu option 2, 22 or nv command line? Try testing Centmin Mod Nginx origin curl header check response by bypassing Cloudflare CDN proxy using
    Code (Text):
    domain=yourdomain.com
    curl -Ikv --resolve $domain:443:SERVER_IP https://$domain
    

    and
    Code (Text):
    domain=www.yourdomain.com
    curl -Ikv --resolve $domain:443:SERVER_IP https://$domain
    

    where yourdomain.com is your domain and SERVER_IP is real server IP address
     
  3. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    8:11 AM
    It was created with option 2.

    Its a subdomain, so I only ran the first of your commands, but they timed out.
     
  4. eva2000

    eva2000 Administrator Staff Member

    51,726
    11,944
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,436
    Local Time:
    10:11 PM
    Nginx 1.25.x
    MariaDB 10.x
    is CSF Firewall and LFD services running and nginx/php-fpm?
    Code (Text):
    systemctl status csf lfd nginx php-fpm --no-pager | sed -e "s|$HOSTNAME|hostname|g"
    

    what if you restart the services
    Code (Text):
    systemctl restart csf lfd nginx php-fpm
    

    check nginx config
    Code (Text):
    nginx -t
     
  5. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    8:11 AM
    All those were running. Restart didn't help. And nginx -t just gives me this warning:

    Code:
    nginx: [warn] the "listen ... http2" directive is deprecated
    Just to reiterate, everything is working - until I turn on the Cloudflare proxy.
     
  6. eva2000

    eva2000 Administrator Staff Member

    51,726
    11,944
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,436
    Local Time:
    10:11 PM
    Nginx 1.25.x
    MariaDB 10.x
    That's normal as it's just a warning. I take it you only running Nginx version built from initial Centmin Mod install? The next time you run centmin.sh menu option 4 recompile for Nginx 1.25.4 or higher, it will automatically take care of existing Nginx vhosts with older http2 parameter in listen directive and convert to using http2 directive standalone.

    Maybe CSF Firewall on your server has accidentally blocked Cloudflare IP addresses? You can check if you have Cloudflare whitelisted IP ranges that Centmin Mod setup in /etc/csf/csf.allow
    Code (Text):
    grep -i cloudflare /etc/csf/csf.allow

    See if any Cloudflare IPs are blocked in /etc/csf/csf.deny

    Who's the web host? Do they also have a separate Firewall in front of the Centmin Mod based server? i.e. AWS EC2, Azure etc might have their own Firewall in front too.
     
  7. fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    8:11 AM
    I see the CF IPs in allow, and just what seems to be default stuff in deny (mostly shodan).

    It's an EC2 instance with a security group...

    oh my god. I did indeed miss something dumb. I reused a security group that only allowed 80/443 in through a load balancer that I'm not using for this instance.

    *slinks away slowly*
     
  8. eva2000

    eva2000 Administrator Staff Member

    51,726
    11,944
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,436
    Local Time:
    10:11 PM
    Nginx 1.25.x
    MariaDB 10.x
    :LOL: at least you figured it out relatively quickly :)