Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)


Check the logs

  • systemd: sudo journalctl -f -u gokeyless
  • upstart/sysvinit: sudo tail -f /var/log/gokeyless.log

Enable debug logging

$ cd /etc/keyless
$ sudo -u keyless gokeyless --loglevel 0

Browsers are seeing a TLS connection failure after trying to connect

  1. Make sure your key server is accessible from outside your network (tcp/2407)
  2. Provide a packet capture: $ sudo tcpdump -nni <interface> -s 0 -w keyless-$(date +%s).pcap port 2407

Clients are connecting, but immediately aborting

If you run gokeyless with debug logging enabled, and you see logs like this:

[DEBUG] connection reading half closed by client
[DEBUG] connection server closing connection
[DEBUG] connection removed
[DEBUG] spawning new connection:
[DEBUG] connection reading half closed by client
[DEBUG] connection server closing connection
[DEBUG] connection removed

It likely indicates that the key server is not using an appropriate server.pem file, and the client is aborting the connection after the certificate exchange. The certificate must be signed by the keyless CA, and the SANs must include the hostname of the keyless server. Here is a valid example for a keyless server located at (note the Subject Alternative Name and Authority Key Identifier:

$ openssl x509 -in server.pem -noout -text -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux | sed -e 's/^ //'
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
X509v3 Subject Alternative Name:
X509v3 CRL Distribution Points:
Full Name:

The gokeyless binary cannot load the CA file

Ensure that permissions are correct on all keys and certificates you have installed on the server.

Keyless is applying to hosts beyond what I want to test or use it for

You will need to either provide a certificate for only those hosts, or change the priority of the certificate in the Crypto app of your Cloudflare dashboard.

I want to run a key server on Windows

We currently only provide packages for the supported GNU/Linux distributions as per

However, the key server is open source so you may attempt to build and deploy a binary, but running on Windows is not a supported configuration so you may experience problems that we will not be able to help with.

Additional questions

Reach out to Cloudflare’s Enterprise Support, your dedicated Account Manager, or Solutions Engineer with additional questions, and we’ll be happy to answer them.