Unable to deactivated authorizations

To clarify, this is the first time I've ever tried to set up a proxy for docker apps. I haven't had much luck. Originally my domain was at godaddy but I've since moved it to Cloudflare for security and ease of use. I'm not confident that I don't have a configuration problem on Cloudflare itself. When setting up DNS, what should I be looking out for?

Here's what works: I hosted a node.js proxy directly on the server and was able to get it working with HTTP. Did not try SSL. So that means the apps are reachable via the domain.

With Tyger2 here's what I'm getting:

2020/06/07 23:23:47 [INFO] [REMOVED] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REMOVED],
2020/06/07 23:23:47 [INFO] [REMOVED] acme: use tls-alpn-01 solver,
2020/06/07 23:23:47 [INFO] [REMOVED] acme: Trying to solve TLS-ALPN-01
2020/06/07 23:23:48 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/[REMOVED]

The output from AuthURL

``` { "identifier": { "type": "dns", "value": "[REMOVED]" }, "status": "invalid", "expires": "2020-06-14T23:23:46Z", "challenges": [ { "type": "tls-alpn-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/[REMOVED]", "token": "[REMOVED]", "validationRecord": [ { "hostname": "[REMOVED]", "port": "443", "addressesResolved": [ "104.27.181.57", "172.67.140.222", "104.27.180.57", "2606:4700:3035::681b:b539", "2606:4700:3034::681b:b439", "2606:4700:3033::ac43:8cde" ], "addressUsed": "2606:4700:3035::681b:b539" } ] } ] } ```

Curl port 80

``` $ curl -v http://[subdomain.mydomain.com] * Rebuilt URL to: http://[subdomain.mydomain.com]/ * Trying [server ip]... * TCP_NODELAY set * Connected to [subdomain.mydomain.com] ([server ip]) port 80 (#0) > GET / HTTP/1.1 > Host: [subdomain.mydomain.com] > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 404 Not Found < Content-Type: text/plain; charset=utf-8 < Server: Caddy < X-Content-Type-Options: nosniff < Date: Sun, 07 Jun 2020 23:52:13 GMT < Content-Length: 59 < 404 Site [subdomain.mydomain.com] is not served on this interface * Connection #0 to host [subdomain.mydomain.com] left intact ```

Curl port 443

``` $ curl -v https://[subdomain.mydomain.com] * Rebuilt URL to: https://[subdomain.mydomain.com]/ * Trying [server ip]... * TCP_NODELAY set * Connected to [subdomain.mydomain.com] ([server ip]) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error * stopped the pause stream! * Closing connection 0 curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error ```

Cloudflare SSL/TLS setting is: Your SSL/TLS encryption mode is Flexible Description: Encrypts traffic between the browser and Cloudflare

The other options are

Full - Encrypts end-to-end, using a self signed certificate on the server
Full (strict) - Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server

To further complicate things, I'm not sure if just having an A record is sufficient for subdomains, and what other options I should be using for this. There's a Proxy mode, which I believe also enables the Cloudflare cache feature.

Currently I have:

Type	Name	Content	TTL	Proxy status
A	*	[server ip]	Auto	DNS only
A	[mydomain.com]	[server ip]	Auto	DNS only

Maybe related: Doing a port scan of the server after Tyger2 has started, ports 80 and 443 are not open. Possibly related to #20

morph1904 / Tyger2

Unable to deactivated authorizations #22