Hey, im using a cloudflare tunnel to proxy my local portainer server. But its not working
Hi, I’m using a Cloudflare Tunnel to expose my local VM. The tunnel status shows as healthy, but when I visit the domain, I get the error: DNS_PROBE_FINISHED_NXDOMAIN — the site can’t be reached.
I attached a screenshot from a friend who can access the Cloudflare dashboard but not the routed tunnel itself, which should lead to the VM.
Checking the tunnel logs, I sometimes see these errors:
And after some time:
Also, when the Docker container running the tunnel is active, I can no longer connect to the local IP address 192.168.1.100:9334, and the SSL secured domain doesn’t work either.
What could be causing these issues?
16 Replies
Support AI
Based on the provided information, I'll try to help you troubleshoot the issues.
The
DNS_PROBE_FINISHED_NXDOMAIN error typically indicates a DNS resolution issue. According to the Cloudflare documentation, this error can occur when the DNS query for a specific resource cannot locate an associated domain (Source: https://developers.cloudflare.com/dns/troubleshooting/dns-probe-finished-nxdomain/).
The tunnel logs you provided suggest that there might be a connection issue between the tunnel and the Cloudflare edge. The error "failed to dial to edge with quic: timeout: no recent network activity" indicates a timeout, which could be related to network connectivity or configuration issues (Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors/).
Additionally, the fact that you can no longer connect to the local IP address 192.168.1.100:9334 when the Docker container is active suggests that there might be a port conflict or configuration issue.
To troubleshoot these issues, I recommend checking the following:
1. Verify that the DNS records for your domain are correctly configured in the Cloudflare dashboard.
2. Check the network connectivity and configuration of the machine running the Cloudflare Tunnel.
3. Ensure that the Docker container is properly configured and not causing any port conflicts.
4. Review the Cloudflare Tunnel logs for any other errors or warnings that might indicate the root cause of the issue.
If you're still unable to resolve the issue, you can try checking the Cloudflare documentation for more troubleshooting guides or reaching out to Cloudflare support for further assistance.Sources
Feedback
Feedback has been submitted! Thank you :)
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
Can it be the zone set-up?
@SuperHelpflare Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead" connIndex=1 event=1 ingressRule=0 originService=https://192.168.1.100:9443
Support AI
The error message you're seeing suggests that the issue is related to the SSL/TLS certificate used by your origin service.
The specific error message "tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead" indicates that the certificate is using the Common Name (CN) field to identify the server, which is a legacy practice.
According to the Cloudflare documentation, this error can occur when the certificate is not properly configured to use Subject Alternative Names (SANs) instead of the Common Name field. (Source: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/)
To resolve this issue, you'll need to update the SSL/TLS certificate used by your origin service to use SANs instead of the Common Name field. You can do this by re-issuing the certificate with the correct configuration.
Additionally, you can also try to configure Cloudflare to use the
--no-tls-verify flag when connecting to your origin service. However, this is not recommended as it can compromise the security of your connection.
It's also worth noting that the error message mentions that the service may be down or not responding to traffic from cloudflared. You should also verify that your origin service is running and responding correctly to traffic.
If you're still having trouble, you can try to check the Cloudflare documentation for more information on troubleshooting SSL/TLS issues. (Source: https://developers.cloudflare.com/ssl/troubleshooting/)Sources
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
@SuperHelpflare When changing the type from https to http i get the following message:
Client sent an HTTP request to an HTTPS server.
When i use http://(DOMAIN) or https://(DOMAIN) same issue
Feedback
Feedback has been submitted! Thank you :)
DNS cache
Resolving DNS entries is complex and involves many parties (your browser, your operating system, your router and then your ISP's resolver).
Any and all of these intermediaries can potentially cache your DNS request and serve stale content, even though you just updated it.
Quick fixes:
1. Use a different browser
2. Restart your PC
3. Change your DNS from your ISP's to Cloudflare's: https://one.one.one.one/dns/#setup-instructions
That somewhat fixes the issue
now i also get this screen:
and in my console it states:
You need to turn off SSL verification of the certificate.
Or I think there is an option for expected hostname which you could set
Where can i do that? Certificate settings? Or global SSL settings?
And it is not possible to generate a certificate for the local domain right? To "bypass" this issue.
Specific for the public hostname options for the tunnel
No because it is looking for a certificate of 192.168.1.100 so you’d have to make a cert for that
I disabled TLS and universal SSL, then i got an error stating that the site is not using a supported protocol, and i coudnt bypass/skip that.
So i changed that back, now i tried changing the SSL to flexible, so traffic from the host to cloudflare is encrypted, and from cloudflare to the server go's trough HTTP, but still the same verification error then.
You are looking in the wrong place. Under the TLS settings for your tunnel, enable
No TLS Verify
Or change the Origin Server Name
From the Zero Trust dashboard, the full path to get there is Networks -> Tunnels. Edit the tunnel, either clicking the tunnel then edit button or 3 dots on the right then Configure. Go to Public Hostnames, and edit the hostname and there is the TLS settingsFound it, thanks!