[Support] aeleos - cloudflared tunnels


Recommended Posts

6 hours ago, jimbohead said:

Running into the exact same issue. Thought it was a syntax error on my end, but I've been reading that others are also not getting a UUID. When navigating to the appdata folder, I can't see any json files, but also can't figure out how to delete the original (2) tunnels I created. 


Yeah I do get a .json file, but it’s just .json with no file name. 
 

I was able to use another Linux machine, load the cloudflared docker, authenticate and delete my tunnels. 
 

I then created a tunnel on that machine, got a uuid and even tried to copy that json file into my appdata folder, and relaunch the container in unRAID but it did me no good, as unRAID still didn’t pick up the tunnel. 
 

Seems like a comms issue specifically from my server to Cloudflare in this case, but I’m not sure if that’s true, how to confirm it, or what to do about it. 
 

At first I thought maybe the container could not write to the appdata directory, but cert.pem is there and seems to work just fine. 
 

I also removed the container entirely, deleted it’s appdata files and folder and tried again from the top with the same result. 

Link to comment
28 minutes ago, Gilgamesh said:


Yeah I do get a .json file, but it’s just .json with no file name. 
 

I was able to use another Linux machine, load the cloudflared docker, authenticate and delete my tunnels. 
 

I then created a tunnel on that machine, got a uuid and even tried to copy that json file into my appdata folder, and relaunch the container in unRAID but it did me no good, as unRAID still didn’t pick up the tunnel. 
 

Seems like a comms issue specifically from my server to Cloudflare in this case, but I’m not sure if that’s true, how to confirm it, or what to do about it. 
 

At first I thought maybe the container could not write to the appdata directory, but cert.pem is there and seems to work just fine. 
 

I also removed the container entirely, deleted it’s appdata files and folder and tried again from the top with the same result. 

Bummer. I also have a blank (hidden) .json file with no name. 

Link to comment
10 hours ago, jimbohead said:

Figured it out! There's a known issue with the latest version. Follow the updated guide here:

https://docs.ibracorp.io/all-guides-in-order/documentation/cloudflare-tunnel

 

So thankful for the UnRaid community to help me get this up and running overnight!

 

Sweet - step one complete, got the tunnels to create and mostly route over. Thank you a bunch!

 

I've read behind to try and solve this next one, as it seems to have bitten others in this thread. Here's what I get, whether I have noTLSVerify set or not based on the above posts.

 

2021-08-11T04:34:55Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.xxx.xxx because it doesn't contain any IP SANs" cfRay=blahblahsomestuffhere originService=https://192.168.x.xxx:MYSWAGPORT

 

CF DNS is set up with a CNAME routing myrootdomain.com to UUID.cfargotunnel.com

Subdomain is set up with mysubdomain.myrootdomain.com

 

I've also turned off my dynamic DNS docker for CF.

 

Here's my config.yaml - I'll comment out either one, neither works when it is the active option. Both give me the x509 error above. Looks like my containers are not responding, when they were when I had ports open on my router. I've also tried subdomain.myrootdomain.com under the originServerName tag.

 


tunnel: MYUUID
credentials-file: /home/nonroot/.cloudflared/MYUUID.json

# ingress:
# - service: https://192.168.xxx.xxx:MYSWAGPORT
# originRequest:
# origiServerName: myrootdomain.com

ingress:
- service: https://192.168.xxx.xxx:MYSWAGPORT
originRequest:
noTLSVerify: true

 

Sigh.  Maybe I'm too dumb to pull this off.

 

Edited by Gilgamesh
Link to comment

Wanted to circle back in here and offer up the solution that I was able to make work after a few nights fighting this thing.

 

First, I reverted back to open ports on my router and set my CF DNS back to update dynamically and point to my public IP.  Tested that and could not get it to work. Once I did quite a bit of digging, I found that for some reason SWAG was being weird about my SSL certs. I think that was the root cause, and for some reason I could not get a cert to regenerate so I "unproxied" CF DNS.

 

After taking all those steps, I was able to get SWAG to regenerate my cert, and everything worked. Terrific!

 

After that, I stopped my Dynamic DNS container, started up cloudlfared and confirmed I was into my previously created tunnel.

 

At that point, I removed the entirety of my CF DNS configuration, closed up my forwarding rules on my router and reset my CF DNS to route my root domain (@) to my Argo Tunnel, using a CNAME, and a second with my desired subdomain. Punched it all through and everything seems to work. I even get a CF page telling me to go pound sand when I try and access using the IP that a ping resolves to in a web browser.

 

I'm not sure if I had to take all those steps, or if I could have just tried to regen my SSL cert through the tunnel but it seems like SWAG had trouble authenticating my cert while I was proxied through CF for my DNS (no tunnel), and it worked after I turned that proxying off.

Edited by Gilgamesh
Link to comment
43 minutes ago, bilboswaggins said:

Did you ever figure out this error? Just like you everything seems to be working fine I just get that 'EOF' error. 

I was getting the same error. As best I can tell, something got funky on SWAG. When I redid everything from the top, it worked without that error. 
 

I’m 90% sure it was CF not liking the old SSL cert I had on SWAG. Try turning your tunnel off, reopening your ports, change your DNS up to your router and get SWAG to pull a new cert, then roll everything back on again?

Link to comment

To clarify for people - you do not need multiple tunnels, nor a large config to proxy several subdomains through an argo tunnel.

 

You can literally just have the config point at the IP/port of your proxy manager (NPN, SWAG, etc.) and add records for each subdomain in Cloudflare DNS as needed.

The key however with the current argo version however is to turn TLS verify off in the config and set the SSL/TLS mode in Cloudflare to Full, otherwise there will be redirect issues.

Edited by boomam
Link to comment

Everything is working fine except that...

 

...my cloudflared log is flooded with this "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=686d91c1b5ccd27e-DFW originService=https://NPM-IP:18443"

 

This is my config:

tunnel: XXX
credentials-file: XXX.json

#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify#

ingress:
- service: https://NPM-IP:18443
  originRequest:
    noTLSVerify: true

 

Is there something that I am missing in the cloudflared config or is it the NPM end? :(

Edited by fishermanG
Link to comment
43 minutes ago, fishermanG said:

Everything is working fine except that...

 

...my cloudflared log is flooded with this "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=686d91c1b5ccd27e-DFW originService=https://NPM-IP:18443"

 

This is my config:

tunnel: XXX

credentials-file: XXX.json

 

      

#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify#

ingress:

  - service: https://NPM-IP:18443

    originRequest:

      noTLSVerify: true

 

Is there something that I am missing in the cloudflared config or is it the NPM end? :(

Mines same, I only checked having read this post as my tunnel has also been working fine. 

Link to comment

Try my solution below:


This is my error before:
error "2021-08-28T15:42:54Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match <domain>" cfRay=<cfray>-SIN originService=https://<internal ip>:18443"

 

Then this is what I did.
1. Delete/revoke tunnel
2. Delete cloudflared
3. Delete all folders related to cloudflared
4. Delete all host & ssl certificate on NPM
5. Delete API tokens on cloudflare account (I found 2 tokens for Argo tunnel, I think that's why it was confuse on how or what the certificate to use. I think this is the trick)
6. Also delete SSL Origin Server and created a new one. Upload custom SSL to NPM.
7. Then I just follow along all the steps on the video/blog post and it worked.

 

🤘

Edited by HHUBS
Link to comment
  • 3 weeks later...

Note to all that come here for help with Argo Tunnel config.  

 

You should not use "noTLSVerify: true" for anything other than troubleshooting in your config.yaml.  It is less safe to leave this way.  

If you are having issues that this resolves in troubleshooting, It is fixable to be secure, don't stop there and use it just because it works.

 

Tips:

 

originServerName: domain.com 

^ rarely works correctly,  instead use:

originServerName: subdomain.domain.com 

^ use this that has a VALID CNAME record pointed to the root of the domain "@"

 

In my example config here:

 

tunnel: XXX
credentials-file: XXX.json

ingress:
- service: https://proxysdockerip:18443
  originRequest:
	originServerName: service.domain.ext

 

proxydockerip can be the docker name if you are using a custom docker network, or the IP of the docker that serves as your reverse proxy, like SWAG or NPM.

service.domain.dom is a valid CNAME of "service" pointed to "@" in the DNS of "domain.dom".

This allows cloudflared / CF Argo Tunnel to validate correctly.

 

 

 

Edited by fmp4m
  • Like 2
Link to comment

So I was using 2021.8.2 per the ibracorp docs. I updated to 2021.9.1 (the newest version) and it works just fine (at least it does after everything is setup) However, it seems this container doesn't actually report the version to cloudflare. Does anyone else have this problem? Is there a fix? Notice version has as -- and a warning sign.

 

image.thumb.png.31ce54b8240c93959cec3286c0ef9e4b.png

Link to comment
1 hour ago, neruve said:

So I was using 2021.8.2 per the ibracorp docs. I updated to 2021.9.1 (the newest version) and it works just fine (at least it does after everything is setup) However, it seems this container doesn't actually report the version to cloudflare. Does anyone else have this problem? Is there a fix? Notice version has as -- and a warning sign.

 

image.thumb.png.31ce54b8240c93959cec3286c0ef9e4b.png

 

I also posted this on the cloudflared github page and was informed this would be fixed in the next release. 

 

Sometimes I forget that a lot of times, you guys just create the unraid template and the containers used are the official ones or someone elses. So it makes sense to go to the container-maker for support.

Edited by neruve
Link to comment

Unable to access console.  Unable to find sh or the bash shell:

 

Error, I'm getting:

OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "bash": executable file not found in $PATH: unknown

 

OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "sh": executable file not found in $PATH: unknown

Link to comment
On 9/28/2021 at 8:13 AM, ceb0610 said:

For those getting spammed with "Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" errors. I fixed the issue on my end by renewing my SSL Cert after the tunnel was up and running and restarting cloudflared.

 

image.thumb.png.7f65a8dbd79998be65471f79424b865f.png

I'm using an origin cert. on NPM not a  lets encrypt so renew the origin cert?

-i renew the cloudflare origin cert. and updated NPM and all subdomains to newly created cert. still getting spammed errors.?

 

-i was able to resolve this spamming error by removing any down or unused cnames from CF.

Edited by Tolete
update
  • Like 2
Link to comment
On 10/6/2021 at 3:30 PM, Tolete said:

I'm using an origin cert. on NPM not a  lets encrypt so renew the origin cert?

-i renew the cloudflare origin cert. and updated NPM and all subdomains to newly created cert. still getting spammed errors.?

 

-i was able to resolve this spamming error by removing any down or unused cnames from CF.

tried your solution, didn´t work for me :( still x509 error when not using a own hostname for each subdomain

Link to comment

Hello all, after playing around and managed to get most of my servers route throught Cloudflared and even played with Team function.  All its left is NextCloud.  I'm struggling to get NextCloud Android app to talk to NextCloud server over Coudflare and keep getting SSL initalisation error.

I've tried,

- Using Lets Encrypt Cert as well as CF Origin Cert

- All the SSL/TLS encryption mode

- Disabled Performance and Security using rules.

 

NextCloud through web page works fine, Its just the android app work work.  anyone else managed to get it working through Cloudflared?

Link to comment
23 hours ago, LeoRX said:

Hello all, after playing around and managed to get most of my servers route throught Cloudflared and even played with Team function.  All its left is NextCloud.  I'm struggling to get NextCloud Android app to talk to NextCloud server over Coudflare and keep getting SSL initalisation error.

I've tried,

- Using Lets Encrypt Cert as well as CF Origin Cert

- All the SSL/TLS encryption mode

- Disabled Performance and Security using rules.

 

NextCloud through web page works fine, Its just the android app work work.  anyone else managed to get it working through Cloudflared?

I take that back... disabled Peformance and Security using page rule seems to do the trick. :)

Link to comment

Hello all,

Having a hard time setting this up. This has to be one of the most annoying things I have set up. Following the guide didn't work because Cloudflared tag:latest doesn't work or something just breaks.
The first time didn't work I was getting Error 1016 Origin DNS error. I had to completely redo my setup and it finally ended up working (deleting everything like tunnels, DNS entries, edge certificate in Cloudflare, and other things). The only difference doing it the second time was adding the newest build in my tag. Now, its broken again for whatever reason even though I haven't touched a thing. Any experiencing the following error? Now, I am getting the Error 502 Bad gateway and these log entries are coming up:

image.thumb.png.a7bc2a82c961c6e62f2f617d0a90f68f.png

Link to comment
  • 2 weeks later...
On 9/28/2021 at 6:29 AM, neruve said:

So I was using 2021.8.2 per the ibracorp docs. I updated to 2021.9.1 (the newest version) and it works just fine (at least it does after everything is setup) However, it seems this container doesn't actually report the version to cloudflare. Does anyone else have this problem? Is there a fix? Notice version has as -- and a warning sign.

 

image.thumb.png.31ce54b8240c93959cec3286c0ef9e4b.png

Hey guys,

Was going through the same trouble and stumbled on this post. Issue is resolved with using subdomains as others have mentioned. Cannot use the CNAME - WWW (www.yourdomain.com).

Also, you cannot use CNAME with nothing mapped to it. It will give the same error. For now version 2021.10.3 works as well.

 

Question - What application is this in the screenshot above? Please comment. Thanks in advance

Edited by Shomil Saini
adding www exception, version update
Link to comment
9 hours ago, Shomil Saini said:

Hey guys,

Was going through the same trouble and stumbled on this post. Issue is resolved with using subdomains as others have mentioned. Cannot use the CNAME - WWW (www.yourdomain.com).

Also, you cannot use CNAME with nothing mapped to it. It will give the same error. For now version 2021.10.3 works as well.

 

Question - What application is this in the screenshot above? Please comment. Thanks in advance

It is on the cloudflare website. dash.teams.cloudflare.com 

 

Then click Access>Tunnels

Link to comment
On 10/23/2021 at 7:44 AM, neruve said:

It is on the cloudflare website. dash.teams.cloudflare.com 

 

Then click Access>Tunnels

Oh, thanks a bunch. :) Is it a paid service as I only have a free account to tinker with.

I went to that site and it asks to create a domain and stuff. Just want to know what I am getting into.

 

Much Appreciated.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.