Documentation Known issues when using Cloudflare DNS for custom status pages

This applies when you are trying to configure a custom domain for your status page using Cloudflare DNS. First make sure you created the correct DNS records as indicated by updown, and if you changed them but updown keeps showing the previous value, keep in mind we have to honor the TTL (Time To Live) specified in your DNS, so you may have to simply wait in that case.

I just want to get it working

The simplest fix for almost any problems related to Cloudflare proxying is to simply disable Cloudflare proxying (the "orange cloud") in your DNS settings, so that the CNAME is really pointing to updown servers directly and you eliminate any kind of Cloudflare induced incompatibility:

screenshot of Cloudflare DNS proxy setting turned off

If for some reason you don't want to disable Cloudflare proxying for this status page, then you may encounter some of the following problems:

I'm getting an infinite redirection error

Example: status.mydomain.com redirected you too many times

The reason might be that you're using the "Flexible" TLS mode of Cloudflare which encrypts on the client side (browser) while connecting to the backend server (updown) using plain HTTP. This would cause a redirection to HTTPS on updown side, which would be ignored by Cloudflare and thus causing an infinite redirection loop (that's in the SSL/TLS section):

screenshot of Cloudflare SSL/TLS settings

If you can, use any of the Full mode instead. But of course you shouldn't change that if your backend requires this configuration (e.g. only supports HTTP) because this setting is global as far as we know so changing this will impact your whole domain. If you can't change this option, you'd better go back to the first option of disabling proxying for the status page.

I'm getting an "SSL handshake failed" Error (code 525)

If you are seeing this error, it means that you are running in Proxy mode but updown servers are not able to issue a TLS certificate for your domain, and so Cloudflare can't securely connect to the backend.

screenshot of Cloudflare SSL handshake failed error page

The most common reason is that you have a CAA record on your domain which limits the providers allowed to issue TLS certificates for that domain. Example:

> dig +short CAA google.com
0 issue "pki.goog"

Updown is using Let's Encrypt (letsencrypt.org) and ZeroSSL (sectigo.com) to issue free and automatic TLS certificates for your custom status pages, as reflected by the CAA present on page.updown.io:

> dig +short CAA page.updown.io
0 issue "letsencrypt.org"
0 issue "sectigo.com"

When using a regular CNAME (not proxied), the whole subdomain is delegating to updown.io DNS and thus this CAA record is already present. But in order for that whole process to work while using Cloudflare proxying (which is hiding updown CAA record), you'll need to add that CAA record on your end (under the custom subdomain that you created for updown, no need to change your root CAA) with the same values as in page.updown.io, the end result should be:

> dig +short CAA status.example.com
0 issue "letsencrypt.org"
0 issue "sectigo.com"

Adrien Rey-Jarthon
Created on October 17, 2023 · Last update on January 20, 2024