Discussion Hetzner Cloud + Cloudflare = Error 521

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
PG Version
8.7.5
Server Type
Cloud - VPS
Hi guys

I'm having some access issues, namely error 521 at Cloudflare.
..CF telling me the webserver is down, is baffling me.

Can you please give me some pointers?

Setup
  1. Hetzner Cloud
  2. Ubuntu 18.04
  3. Own domain pointing to CF
  4. Cloudflare DNS / CDN via this guide https://github.com/PGBlitz/PGBlitz.com/wiki/CloudFlare

What I can do
  1. Access pgblitz and config via SSH
  2. Access apps like pgui and portainer via serverip : port

What I can't do
  1. Deploy Traefik. ..issue somewhere, hit the limit.
  2. Access apps via app.mydomain or mydomain : port at all.
  3. Cloudflare gives error 521, web server down.

The strange thing is, it did work briefly as I was following the github guide through to completion.
 
Last edited:

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
If you hit the letsencrypt limit, you will have to wait a week for the limit to be lifted or use a other domain.

https://letsencrypt.org/docs/rate-limits/

I hit the limit the first time i deployed PG, because i had a wrong setting in CF.

Thanks for your reply Cthe1

So I understand you correctly, are you saying that what I'm experiencing is normal behavior / to be expected, when you fail to deploy Trafeik?
 

Cthe1

Respected Member
Local time
4:41 AM
Mar 5, 2019
67
30
Denmark
Yes, if the error is because of the letsencrypt limit.
When you quit pgblitz you can see a warning, it should display a letsencrypt limit error. Is that correct?

Do you have a screenshot of the error?
 
  • Like
Reactions: friedrice

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
Yes, if the error is because of the letsencrypt limit.
When you quit pgblitz you can see a warning, it should display a letsencrypt limit error. Is that correct?

Do you have a screenshot of the error?
Yes, you're right, that's exactly what I'm seeing. Please find screenshots below

PGBlitz letsencrypt limit error


Access to portainer/other apps OK via IP address : port


No access to portainer/other apps via app.mydomain.com


As I didn't initially get a 526 error on CF, I was afraid I had messed up more of the config than just Traefik
 

Cthe1

Respected Member
Local time
4:41 AM
Mar 5, 2019
67
30
Denmark
Okay, it's just looks like you hit the letsencrypt limit.
You can try again in one week or use an other domain, and make sure that you CF settings is correct.

Have you made CNAMES for all the subdomains or are you using wildcard? (CloudFlare)
 
  • Like
Reactions: friedrice

ninjaknock

Junior Member
Local time
9:11 AM
Aug 25, 2018
18
6
just don't it take for granted that you're having error of letsencrypt, find the cause why treafik is not deploying(too many times failing to deploy causes letsencrypt issue which leads to 1 week delay). Check if you have CF email, CF api key correct. then keep the DNS delay for 90 seconds or 80 seconds for cloudflare deployment. You can re-check all these above pointers and try with a new domain again. or same domain in a week.

Edit: Also note, turn off orange cloud for portainer subdomain A record or CNAME during treafik deployment, you can turn it back on after deploying.
 
  • Like
Reactions: friedrice

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
Have you made CNAMES for all the subdomains or are you using wildcard? (CloudFlare)
Sounds promising!

Ok, so I followed this guide to the letter:
(However, I can't yet perform step 3A, as far as I'm aware.)

Following that guide, I created records for apps as pictured below:


CF must've created the TXT record, because I didn't
 

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
just don't it take for granted that you're having error of letsencrypt, find the cause why treafik is not deploying(too many times failing to deploy causes letsencrypt issue which leads to 1 week delay). Check if you have CF email, CF api key correct. then keep the DNS delay for 90 seconds or 80 seconds for cloudflare deployment. You can re-check all these above pointers and try with a new domain again. or same domain in a week.

Edit: Also note, turn off orange cloud for portainer subdomain A record or CNAME during treafik deployment, you can turn it back on after deploying.
Thanks for your reply ninjaknock

Re: CF email

This is just your account email, correct? If so, I've got all of those set.
..However, Delay was set for default (60 seconds?), the first few times I tried. Changing it to 90 was probably too little, too late on my part.

Re: Portainer

Just de-orange Portainer and only during Traefik deployment?

What's the logic behind this, so I can better understand. Is it because Traefik or letsencrypt can't activate while the server is behind CF proxy? If so, do you need to do it anytime you install a new app?
 

ninjaknock

Junior Member
Local time
9:11 AM
Aug 25, 2018
18
6
Thanks for your reply ninjaknock

Re: CF email

This is just your account email, correct? If so, I've got all of those set.
..However, Delay was set for default (60 seconds?), the first few times I tried. Changing it to 90 was probably too little, too late on my part.

Re: Portainer

Just de-orange Portainer and only during Traefik deployment?

What's the logic behind this, so I can better understand. Is it because Traefik or letsencrypt can't activate while the server is behind CF proxy? If so, do you need to do it anytime you install a new app?
Reason for orange cloud:
CF is a proxy pretty much for your server so IP change occurs when you turn on orange cloud whenever you visit portainer.domain.tld, its origin is not your server ip but CF proxy ip, if you turn off orange cloud origin becomes your main server. helps better contact? not sure about this part.
Main failing reason:
But yeah the 60 second delay is why your deploy failing, keep 80 or 90 and it should go fine after a week or if you have another domain can do it right now no issues.
 
  • Like
Reactions: friedrice

vFlagR

Respected Member
Staff
Local time
3:41 AM
Aug 27, 2018
71
28
Glasgow, Scotland
Just chiming in here to say that there's a website where you can check if you're running in to your letsencrypt limit.


Put your domain in here and if you see more than 5 requests for a cert in less than one week then you will be blocked from creating a new one until 1 week after the first one was issued. E.g if you request 2 certs on the 10th Sept and 3 on the 11th Sept then you will have to wait till the 17th until you can create a new cert and deploy Traefik correctly.

As you can see from my screenshot I had this problem a few weeks ago, this is what my list of certs looks like now:
1568369633214.png
 
  • Like
Reactions: friedrice and Cthe1

friedrice

Junior Member
Original poster
Donor
Donor
Local time
2:41 PM
Jul 24, 2019
19
0
Reason for orange cloud:
CF is a proxy pretty much for your server so IP change occurs when you turn on orange cloud whenever you visit portainer.domain.tld, its origin is not your server ip but CF proxy ip, if you turn off orange cloud origin becomes your main server. helps better contact? not sure about this part.
Main failing reason:
But yeah the 60 second delay is why your deploy failing, keep 80 or 90 and it should go fine after a week or if you have another domain can do it right now no issues.
Ok awesome, thank you.

So once Traefik is deployed successfully, set portainer back to orange and all should be well.

Any thoughts on the random TXT record added by CF? (screenshot of DNS). I don't know whether to delete or leave it be :unsure:
 

vFlagR

Respected Member
Staff
Local time
3:41 AM
Aug 27, 2018
71
28
Glasgow, Scotland
Ok awesome, thank you.

So once Traefik is deployed successfully, set portainer back to orange and all should be well.

Any thoughts on the random TXT record added by CF? (screenshot of DNS). I don't know whether to delete or leave it be :unsure:
I don't have any TXT records set up in CloudFlare so it should be safe to just delete it. Maybe take a note of it but if it's something that's being put there by a service then it'll do it again whenever it needs too.
 
  • Like
Reactions: friedrice

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads


Maintenance Donations

Recommend NewsGroups

      Up To a 58% Discount!

Trending