cannot connect with Cloudflare DNS (for subdomain)

I am using Cloudflare for DNS and have a domain (example.com)

I have two simple apps that are hooked to this domain. One is a landing page which is hooked to the main domain (example.com) and I made another app that is deployed on fly.io.

I want to connect this new app to a subdomain (foo.example.com)

So I went to the fly.io dashboard and created a certificate for hostname foo.example.com.

It asked me to add A, AAAA and an optional CNAME record.

I added these records in Cloudflare DNS.

Then I confirmed that RSA and ECDSA certificates were issued in Fly.io certificate view.

I also checked this: dig txt _acme-challenge.mydomain.com +short and it did return the correct record value which is a fly address.

But if I go to foo.example.com, I get infinite(like 50 in a row and then it stops) 301 redirects:

(BTW, I want to use cloudflare with fly because i want to cache my responses(server side rendered pages and api fetches) as much as possible on CDN with cache control headers)

General

Request URL: https://foo.example.com/
Request Method: GET
Status Code: 301 
Remote Address: 172.67.216.131:443
Referrer Policy: strict-origin-when-cross-origin


Response Headers

alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 7620bed3f83eafd0-NRT
content-length: 0
date: Sun, 30 Oct 2022 02:33:18 GMT
fly-request-id: 01GGKBS045YGTTKTEB8XXH6P7E1-nrt
location: https://foo.example.com/
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qzG2y8t3h6oODbGKLGeVTvUNnhd29F%2BuRrWF9fDZqhBKcs9Ow2LClf0pRbMAxhGd9%2F1jZoRrery%2FH7rWF6PpC%2Fc5qPUmXbxlaxCYFQr0EO%2FmQM9SxdTaCLSkmOU%2BV18G2BdS2nymA"}],"group":"cf-nel","max_age":604800}
server: cloudflare
via: 1.1 fly.io

Infinite redirects are usually due to a gateway or app setting enforced https, but inbound traffic is not going through ssl.

Are you using flexible mode proxy in Cloudflare? Then traffic from Cloudflare to origin server is not encryption. If you setting force_https in fly or app, it will cause infinite redirects.

Use Full (strict) in Cloudflare might solves the problem, but might cause DNS conflicts when updating the fly certificate later.

My suggestion is to turn off the Cloudflare proxy until they resolve the Let’s Encrypt conflict.

Thank you for your reply!

I did read that somewhere and turned off the proxy for the fly provided A and AAAA records.

hmm not sure what flexible mode proxy is. I did some suggested optimizations, maybe its one of those

Ok this is weird. I got it solved with a strange solution.

I toggled the development mode in cloudflare dashboard, which is “Temporarily bypass our cache. See changes to your origin server in realtime.”

Then it worked…! I turned off the dev mode and it still works. So apparently it was some cache issue. But the funny thing is, I have purged all cache in cloudflare multiple times. hmm maybe its a different set of cache