Site behind Cloudflare unable to get SSL cert #228
Comments
|
I've managed to get the site back up by changing Cloudflare to DNS-only for the domain so it essentially bypasses Cloudflare and goes straight to the Meli server where the certificate was then able to be provisioned. I'm still seeing a load of these tls requests in the logs though: Is that expected? |
|
I've actually never used Cloudflare alongside Meli, so I'm not sure I can be of great help here, but the http log from Caddy looks normal. Does changing to DNS-only impacts your performance ? |
|
Yes there is a slight performance impact but nothing I can't live with. I was trying to get the maximum performance possible and was testing various options including Cloudflare. It looks like the use of Cloudflare with Caddy requires using the DNS challenge for TLS (from Caddy examples) I suppose this would mean an additional config option in the site's settings form that then pushed this config for this site. A cloudflare API token field would also be needed somewhere. |
|
This is a really nicely written article about the Caddy and Cloudflare compatibility: https://sammckenzie.be/en/blog/using-caddy-with-cloudflare/ I accept that it may well be beyond the scope of Meli but if it's something you'd consider adding it would be appreciated. |
|
Thanks for the link, very helpful. We'll have a look ! We'll add this to our backlog. |
gempain
added
feature
|
I'm now trying the more manual method of generating the cert on Cloudflare and pasting it into the Meli cert settings but Meli is throwing a 400 error. The response is: This looks similar to #189 Note that I've removed the contents of the pasted certs from the error above and replaced them with [key] Edit: The private key is failing validation: |
|
The private key that Cloudflare produces is |
|
This is the test we run to check if your key is valid. It's not a great test I agree. So here it seems like you're missing the export function isRsaPrivateKey(value: string): string {
if (!value.includes('-----BEGIN RSA PRIVATE KEY-----')
|| !value.includes('-----END RSA PRIVATE KEY-----')) {
throw new Error('Invalid RSA private key');
}
return value;
} |
|
Ah yes, it does look like that was the problem. If changing the match isn't too easy maybe there could be a hint under the field saying something like "Paste your private key including the beginning line -----BEGIN RSA PRIVATE KEY----- everything between and ending with -----END RSA PRIVATE KEY----- making sure they match those words exactly." I just made a fork to make that change but I couldn't find any examples of help or hint text on other forms to borrow the style from. Is it something you've added on any other forms that I can use as a example? |
|
Glad it worked 😄 Thanks for suggesting these changes ! As for style, what I generally do is place a |
|
You do not need to use the Cloudflare DNS plugin, set Automatic HTTPS to off, and create 2 page rules, one to allow /.well-known/* with SSL set to off and another to enable automatic HTTPS for all other URLs. Vercel has documented this under- using Cloudflare with proxy [https://vercel.com/support/articles/using-cloudflare-with-vercel] |
|
@itsezsid I will try this, thanks! |
I recently set up a site hosted with Meli to use Cloudflare, which appeared to work fine until I restart the Meli docker images. Now every few seconds I'm seeing acme messages in my logs and Caddy is unable to provision a certificate:
And the site behind Cloudflare is complaining about the lack of an SSL certificate.
Is there some way to get the two working together nicely?
The text was updated successfully, but these errors were encountered: