Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: No available server when Cloudflare SSL/TLS policy is set to Full, with multiple domains #4804

Open
clho40 opened this issue Jan 11, 2025 · 11 comments
Open

[Bug]: No available server when Cloudflare SSL/TLS policy is set to Full, with multiple domains #4804

clho40 opened this issue Jan 11, 2025 · 11 comments
Labels
🐛 Bug Reported issues that need to be reproduced by the team. 🔍 Triage Issues that need assessment and prioritization.

Comments

@clho40
Copy link
Contributor

clho40 commented Jan 11, 2025

Error Message and Logs

When deploying a WordPress application with MariaDB on a Coolify instance hosted on a VPS, using a Cloudflare-managed domain (def.com), browsing with SSL set to "Flexible" results in mixed content issues, while setting SSL to "Full" produces a "No available server" error.

Steps to Reproduce

  1. Set up a VPS with Coolify.
  2. Point two Cloudflare-managed domains (abc.com and def.com) to the VPS IP using A records.
  3. Configure the Coolify instance to use http://coolify.abc.com as its domain name.
  4. Create a new WordPress with MariaDB application on Coolify.
  5. Assign def.com as the domain name for the WordPress resource.
  6. Set Cloudflare SSL mode for def.com to "Flexible" and browse the site.
  7. Observed result: The site loads, but some scripts are served over HTTP, causing mixed content issues.
  8. Change Cloudflare SSL mode for def.com to "Full" and browse the site.
  9. Observed result: "No available server" error.

Example Repository URL

No response

Coolify Version

v4.0.0-beta.380

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

Ubuntu 24

Additional Information

No response
@clho40 clho40 added 🐛 Bug Reported issues that need to be reproduced by the team. 🔍 Triage Issues that need assessment and prioritization. labels Jan 11, 2025
@clho40
Copy link
Contributor Author

clho40 commented Jan 12, 2025

New findings, I follow this guide: https://coolify.io/docs/knowledge-base/traefik/custom-ssl-certs

I have generated the .pem and .key files from Cloudflare, uploaded them to /data/coolify/proxy/certs as

  • somedomain.pem
  • somedomain.key

and in /data/coolify/proxy/dynamic, I have created a new file tls.yaml and added the following config:

tls:
  certificates:
    - certFile: "/data/coolify/proxy/certs/somedomain.pem"
      keyFile: "/data/coolify/proxy/certs/somedomain.key"

and I get the following error:

ERR Unable to append certificate /data/coolify/proxy/certs/somedomain.pem to store error="unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default

I have also tried renaming the extension .pem to .cert, and I get the same error. I can confirm that the file has -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

@djsisson
Copy link
Contributor

@clho40

  1. for some apps you need to set the domain to be https, if it cant be overridden inside the app, otherwise it passes back http links to content, hence the mixed content error

  2. if you are behind a dns proxy, you can use full, with https in your domains, it just means cf won't check your server cert (which will be the default traefik cert, since http challenges fail for domains behind a dns proxy), using flexible just means it will only send requests as http which brings you back to point 1

  3. traefik is using a volume mount so if your certs are at that location, then in the dynamic file they need to be at /traefik/certs/somedomain.key inorder for it to pick them up, then its ok to switch to full(strict)

@clho40
Copy link
Contributor Author

clho40 commented Jan 13, 2025

Hello, I think point #3

@clho40

  1. for some apps you need to set the domain to be https, if it cant be overridden inside the app, otherwise it passes back http links to content, hence the mixed content error
  2. if you are behind a dns proxy, you can use full, with https in your domains, it just means cf won't check your server cert (which will be the default traefik cert, since http challenges fail for domains behind a dns proxy), using flexible just means it will only send requests as http which brings you back to point 1
  3. traefik is using a volume mount so if your certs are at that location, then in the dynamic file they need to be at /traefik/certs/somedomain.key inorder for it to pick them up, then its ok to switch to full(strict)

Hello, I think point 3 solved the issue. After changing the dynamic configuration to /traefik/certs/somedomain.key I don't get any error from the coolify-proxy container. However, I am still getting the error no available server when browsing the application with Full (Strict) SSL policy on Cloudflare. What could be the reason?

@djsisson
Copy link
Contributor

@clho40 is your domain url set to https in your project?

@ninode97
Copy link

ninode97 commented Jan 13, 2025
edited
Loading

Having same problem.

Is there any way to handle it without:

3. traefik is using a volume mount so if your certs are at that location, then in the dynamic file they need to be at /traefik/certs/somedomain.key inorder for it to pick them up, then its ok to switch to full(strict)

I am using Cloudflare and Coolify Remote server.
And caddy as reverse proxy.

If I host the application it works on localhost
But if I try to create resource it runs into an error "SSL handshake failed ".

Am I missing something, do I need this "Cloudflare" tunnels feature ?

Any help would be be appreciated

@MrLesk
Copy link

MrLesk commented Jan 14, 2025

if you go full SSL including the origin certificates the service port has to be 443 like below. This is not documented properly

Image

@MrLesk MrLesk mentioned this issue Jan 14, 2025
Merged
@clho40
Copy link
Contributor Author

clho40 commented Jan 14, 2025

@clho40 is your domain url set to https in your project?

Hi, that was the fix. Because I've been using the Flexible SSL policy on Cloudflare, I had to set my coolify domain name to http to avoid being redirected too many times. After setting it to Full (Strict) I had to set the instance domain to https.

Thanks!

@Dercont
Copy link

Dercont commented Feb 27, 2025

@clho40 How you were able to solve the issue with two domains set (abc.com, abc.es) on the same coolify instance?
I'm still getting the "not available server" error. And both domains are being managed by CF and set to Full Strict.

@oribenez
Copy link

oribenez commented Mar 14, 2025
edited
Loading

@clho40 How you were able to solve the issue with two domains set (abc.com, abc.es) on the same coolify instance? I'm still getting the "not available server" error. And both domains are being managed by CF and set to Full Strict.

Same here
I get the "no available server" error for couple of full page refreshes and then the server is working for a second and then again...
this is like a ping pong for my services, some work and some not every couple of seconds.
If I look at the logs in coolify I see that all containers are up and running so the issue is or with the Certificates or with the proxy.

My setup
Proxy: traefik
Running Cloudflared predefined container by coolify with the appropriate token.
Image
DNS is set to Full(Strict)
DNS name is: CNAME, with "*" and targets to: <tunnel-id>.cfargotunnel.com
certs added to the folder /data/coolify/proxy
changed all resources to https://

Also I've been following the tutorial: https://coolify.io/docs/knowledge-base/cloudflare/tunnels/all-resource
and right after I've followed this: https://coolify.io/docs/knowledge-base/cloudflare/tunnels/full-tls

@djsisson
Copy link
Contributor

@oribenez

What kind of deployment is giving you an issue?

If this is a compose based deployment make sure you do not define a network in the compose

@oribenez
Copy link

oribenez commented Mar 15, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug Reported issues that need to be reproduced by the team. 🔍 Triage Issues that need assessment and prioritization.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@clho40 @oribenez @MrLesk @Dercont @ninode97 @djsisson