Custom domain issue
Morning : ) is anyone able to give me a hand figuring out what I've done wrong with my subdomain setup? I've just deployed a new project to add a staging environment, configured the subdomain URL in the same way & added it to cloudflare - but I'm getting 404s from the nginx load balancer and I can't see requests making it to my app in the logs.
Staging project ID:
FJLjV17BRuGEKobZX2vHfg
Original project ID: 3k5zoZOLTF23tmP2KSh7ZASolution:Jump to solution
Just to be sure, did you maybe add a WAF rule to block access to one of the domains, or enable under attack mode?
If yes, then you will have to add an exception for URLs starting with
/.well-known/acme-challenge/, as it seems like CF is blocking our attempts to check the challenge url with a captcha....11 Replies
@Backend ?
Hello, could you, please show us your Cloud Flare configuration?
You can blur some of the IP address part, but we need to check if you set it up correctly (e.g. if you have enabled CF proxy, that you did not also add our shared IPv4 to CF etc.).
Zerops generates certificates for all sub-domains and the root domain at once, so if one of the domains isn't configured correctly, Zerops will wait until it is.
Your production is working for now, because it already had an existing certificate, but it won't be refreshed if all of the sub-domains entered to Zerops do not correctly point to the project.
Of course, here you go - all records are proxied (which should be fine if just using the private IPv6?)
That makes sense - I initially had prod running directly at the IPv6 unproxied, and then switched it over a few weeks ago
Proxied with IPv6 is ok, you just must not also add a proxied shared IPv4 (dedicated is ok).
Can you just confirm that
staging and api-staging have the correct IP suffix, as both projects have different IP addresses (last 4 characters).
Ps.: our recommended setup is to use the CNAME, instead of A/AAAA records.
If you want to use CF proxy you can just toggle off the "Shared IPv4 included in the CNAME" in Zerops and it should work.
With CF and some other DNS providers CNAME will work even for the root domain trackops.uk, as they support CNAME flattening, but with others it will work only on sub-domains.Can confirm that the correct IPv6s we're used for the different projects - I've moved staging over to CNAME now & will see if it updates (do you know how long it'll take for zerops to detect the change??)
I'd tried the CNAME option previously but zerops still showed DNS as not being connected & didn't issue the certificates (hence trying IPv6 unproxied and then IPv6 proxied which is working for now, but I appreciate wont get certs refreshed)
Just to note that zerops is still saying "Not pointing to project's IP" & hasn't issued certs
Yes, sorry for the lack of response, we are looking into why it's happening.
No rush, just updating from my end - thanks for the help 🙂
Solution
Just to be sure, did you maybe add a WAF rule to block access to one of the domains, or enable under attack mode?
If yes, then you will have to add an exception for URLs starting with
/.well-known/acme-challenge/, as it seems like CF is blocking our attempts to check the challenge url with a captcha.Ahhhhhhh - good spot, yes - I've just looked in the WAF logs, I can see the requests being blocked, matching on a rule targeting UA
Go-http-client/1.1 - I've added a rule to manually bypass now and Zerops has immediately validated the domains...
Thank you Michal & team for the help - apologies for the issues!No problem, glad we managed to figure it out.
We will add better a overview of what is happening to the DNS/SSL section down the line (so you can see that we were receiving e.g. 403 on that endpoint).