Using custom domain (cloudflare) for SSH (soft-serve) application

I have deployed a self-hosted git server (using Charm’s soft-serve) and I am able to connect via the default domain fly provides. however when I set a custom domain, I am unable to establish a connection, leading to a timeout.

$ ssh git.adoublef.dev -v
OpenSSH_9.8p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/me/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to git.adoublef.dev port 22.
ssh: connect to host git.adoublef.dev port 22: Operation timed out

I am using a cloudflare domain and wondering what could be the issue.

EDIT: looks as though unchecking the proxy option for A/AAAA as well as CNAME helped

That mostly defeats the purpose of cloudflare, you should turn proxy back on once the certs are verified.

When using cloudflare, you need to manually set up the acme challenge CNAME and keep it dns only (gray cloud) otherwise the auto cert will fail.

Ah thank you for the clarification, I turned it on and tried again, will have to just wait a few hours to try again just to be sure.

Would you suggest using the proxy for all A/AAAA & CNAME once I have verified or just A/AAAA?

Yea everything but the acme

I think that with Cloudflare, having the proxy on (for all A,AAAA & CNAME) is actually causing a problem with connecting (I get timeouts due to this). If it defeats the purpose of cloudflare (I only use them for the domain when Google discontinued their services), then I am unsure where to look into for a proper solution.

You likely misconfigured something. Did you set your CF SSL to full or full strict

Just had a look and its on Full (strict). I will change to Full and put the proxy back on for A/AAAA (not CNAME) & see

Seems that using Full also yields issues when I have proxy set for A/AAAA (CNAME is not set). I wonder if it be best for me to cross-post onto the CF community site for additional support.

No, you can search on this forum, there’s been discussions and solution to the problem.

I was overlooking a previous solution you made to a similar post & when readding the certs from the cli I get this warning suggesting to remove the proxing feature if not needed. given this is a self-hosted git server do I need the proxy features?

You're using Cloudflare's proxying feature (orange cloud active) for this hostname.
If you do not need Cloudflare-specific features, it's best to turn off proxying.
The only way to create certificates for proxied hostnames is to use the DNS challenge.
You can validate your ownership of git.adoublef.dev by:

1: Adding an CNAME record to your DNS service which reads:
    CNAME _acme-challenge.git.adoublef.dev => git.adoublef.dev.*.flydns.net.

If you've already set this up, your certificate should be issued soon.
For much more information, check our docs at: https://fly.io/docs/networking/custom-domain/

Iirc, there were details on how to set it up properly. Keep digging, you’ll find the solution

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.