[SOLVED] ERR_TOO_MANY_REDIRECTS with Cloudflare and SSL

I’m deploying a new app using a new domain: spoonfeed.dev

I’m using cloudflare for DNS and have added both my dedicated IPv6 and shared IPv4 (both proxied), as well as the acme challenge

$ dig _acme-challenge.spoonfeed.dev CNAME +short
spoonfeed.dev.9zd9yy.flydns.net.
$ dig spoonfeed.dev AAAA +short
2606:4700:3036::6815:5b93
2606:4700:3037::ac43:deba
$ dig spoonfeed.dev A +short
104.21.91.147
172.67.222.186

My domain has been added and SSL cert has been issued on fly:

$ fly certs show spoonfeed.dev
The certificate for spoonfeed.dev has been issued.

Hostname                  = spoonfeed.dev
DNS Provider              = cloudflare
Certificate Authority     = Let's Encrypt
Issued                    = rsa,ecdsa
Added to App              = 15 minutes ago
Source                    = fly

However, I get an https://spoonfeed.dev -> https://spoonfeed.dev redirect loop:

$ curl --verbose https://spoonfeed.dev
* Host spoonfeed.dev:443 was resolved.
* IPv6: (none)
* IPv4: 172.67.222.186, 104.21.91.147
* Trying 172.67.222.186:443...
* Connected to spoonfeed.dev (172.67.222.186) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=spoonfeed.dev
* start date: Jun 23 16:51:56 2024 GMT
* expire date: Sep 21 16:51:55 2024 GMT
* subjectAltName: host "spoonfeed.dev" matched cert's "spoonfeed.dev"
* issuer: C=US; O=Google Trust Services; CN=WE1
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://spoonfeed.dev/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: spoonfeed.dev]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: spoonfeed.dev
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 301
< date: Sun, 23 Jun 2024 18:19:40 GMT
< content-length: 0
< location: https://spoonfeed.dev/
< via: 1.1 fly.io
< fly-request-id: 01J1356H4FTJKBQWTT4VQKP2Z7-sin
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aVJ1ncRkVEKU7tlHkoMCcJJJAVp4xsdRsGB2EMVB9f%2B10CGi6KU8lB47LBBwydYO2icCR8QqInhvtZQAgKbecZoXG%2FLTs2CUTw%2BfahtTODSqMQRcsdGGgSvrZN8uhcFK"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 89867cda78449ce1-SIN
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host spoonfeed.dev left intact

The request does reach fly.io as it contains a fly-request-id in the response. However, it does not make it to my app (the machines never wake up).

I’m using the exact same setup on a different fly.io app - the only difference is the working app is in CDG, while the broken one is in SIN.

What gives?

I tried:

  1. Moving the app to CDG (didn’t work, back in SIN now)
  2. Deleting the existing machines - didn’t work. With the machines deleted, I just got a cloudflare error as below. With machines created again, it’s back to the redirect loop.

Toggling SSL to Full on Cloudflare from Flexible solved it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.