Help with SSL Cloudflare
from cutebc24@piefed.social to selfhosted@lemmy.world on 05 Jul 08:28
https://piefed.social/post/1008368

So, I tried linking my Lemmy instance akaris.space but it says the ssl handshake failed and i can't seem to figure out what went wrong.

#selfhosted

threaded - newest

RheumatoidArthritis@mander.xyz on 05 Jul 08:38 next collapse

developers.cloudflare.com/ssl/…/ssl-modes/ you could use a less strict mode here

cutebc24@piefed.social on 05 Jul 13:18 collapse

I have, thanks, now it shows "parked on the bun"

RheumatoidArthritis@mander.xyz on 05 Jul 18:52 collapse

What is porkbun, your hosting provider?

cutebc24@piefed.social on 05 Jul 19:46 collapse

The site I bought the domain at :3

tal@lemmy.today on 05 Jul 10:06 next collapse

I’m not familiar enough with Cloudflare’s error messages — or deployment with Cloudflare — to know what exact behavior that corresponds to, but I’d guess that most likely it can open a TCP connection to port 443 on what it thinks is your server, but it’s not getting HTTPS on that port or your server isn’t configured to serve up the right certificate for that hostname or the web server software running on it is otherwise broken. Might be some sort of intervening firewall.

I don’t know where your actual server is, may not even be accessible to me. But if you have a Linux machine that can talk to it directly – including, perhaps, the server itself – you should be able to see what certificate it’s handing back via:

$ openssl s_client -showcerts -servername akaris.space IP-address-of-actual-server:443

That’ll try to establish a TLS connection, will send the specified server name so that if you’re using vhosting on the server, it knows which site to return, and then will tell you what certificate the web server used. Would probably be my first diagnostic step if I thought that there was a problem with the TLS handshake on a machine I was running.

That might provide enough information to you to let you resolve the issue yourself.

Beyond that, trying to provide much more information probably isn’t possible without more information about how your server is set up and what actually is working. You can censor IP addresses if you want to keep that private.

3dcadmin@lemmy.relayeasy.com on 05 Jul 10:41 next collapse

How are you using Cloudflare, and what are you serving the lemmy instance on? I’m guessing it is due to the ssl mode chosen as said before

3dcadmin@lemmy.relayeasy.com on 05 Jul 11:19 next collapse

You want to use flexible ssl/tls for starters, doubtful it will work otherwise. Log in to cloudflare, choose domain, then SSL/TLS and see if encryption is set to flexible. See what that gets you, though it can take 15 mins for effects to show up. As long as the server can be reached cloudflare will try and match a certificate so lemmy gets served, as long as the server is set up correctly and the ports etc. are correctly forwarded and open

cutebc24@piefed.social on 05 Jul 13:17 collapse

I'm using it to set a tunnel, and lemmy instance is yunohost. since my domain is on porkbun, it says now "parked on the bun"

jacksquat@what.forfi.win on 05 Jul 16:32 collapse

Set the SSL mode to “Full”. Then go to “Rules” and create three rules. This is also the order in which they should be processed:

1.
Name: lemmy u all
Custom filter expression: URI path equals /u/*
All other options disabled.

2.
Name: lemmy nodeinfo all
Custom filter expression: URI path equals /nodeinfo/*
All other options disabled.

3.
Name: lemmy inbox all
Custom filter expression: URI path equals /inbox/*
All other options disabled.

This should get your instance running behind Cloudflare’s tunnel.

*edited for formatting

cutebc24@piefed.social on 05 Jul 17:32 collapse

What do I put for "rule type" on Cloudflare? ex: redriect or route request, transform request/response, modify configurations

jacksquat@what.forfi.win on 05 Jul 18:23 collapse

Oops sorry about that, you want them all as configuration rules

cutebc24@piefed.social on 05 Jul 22:14 collapse

Thanks

jacksquat@what.forfi.win on 05 Jul 22:19 collapse

Hope it helped!

cutebc24@piefed.social on 05 Jul 22:27 next collapse

what action do i put, i put ssl, idk

jacksquat@what.forfi.win on 05 Jul 22:30 collapse

I’ve left all of the actions off

cutebc24@piefed.social on 05 Jul 22:38 next collapse

oh, how do u do that? it says i must have an action

jacksquat@what.forfi.win on 05 Jul 22:54 collapse

So sorry, it’s been a while… Add the following actions:

  1. Browser integrity check (Then turn off)
  2. Disable RUM
  3. Disable Zaraz
  4. Email Obfuscation (Then turn off)
  5. Fonts (Then turn off)
  6. Hotlink Protection (Then turn off)
  7. Opportunistic Encryption (Then turn off)
  8. Rocket Loader (Then turn off)
cutebc24@piefed.social on 06 Jul 00:32 collapse

Thanks so much!! This will totally help me and I'll tell u the results

cutebc24@piefed.social on 06 Jul 00:41 collapse

the domain says parked

cutebc24@piefed.social on 05 Jul 22:41 collapse

action parameters are required for the set_config action

cutebc24@piefed.social on 05 Jul 22:27 collapse

but maybe not because it still says the handshake failed