Common errors
This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the troubleshooting FAQ, view your Tunnel logs, or contact Cloudflare Support.
If you see this error when installing a remotely-managed tunnel, ensure that no other cloudflared
instances are running as a service on this machine. Only a single instance of cloudflared
may run as a service on any given machine. Instead, we recommend adding additional routes to your existing tunnel. Alternatively, you can run sudo cloudflared service uninstall
to uninstall cloudflared
.
If you are unable to save your tunnel's public hostname, choose a different hostname or delete the existing DNS record. Check the DNS records for your domain from the Cloudflare dashboard ↗.
If you encounter the following error when running a tunnel, double check your config.yml
file and ensure that the credentials-file
points to the correct location. You may need to change /root/
to your home directory.
To start using Cloudflare Tunnel, a super administrator in the Cloudflare account must first log in through cloudflared login
. The client will launch a browser window and prompt the user to select a hostname in their Cloudflare account. Once selected, Cloudflare generates a certificate that consists of three components:
- The public key of the origin certificate for that hostname
- The private key of the origin certificate for that domain
- A token that is unique to Cloudflare Tunnel
Those three components are bundled into a single PEM file that is downloaded one time during that login flow. The host certificate is valid for the root domain and any subdomain one-level deep. Cloudflare uses that certificate file to authenticate cloudflared
to create DNS records for your domain in Cloudflare.
The third component, the token, consists of the zone ID (for the selected domain) and an API token scoped to the user who first authenticated with the login command. When user permissions change (if that user is removed from the account or becomes an admin of another account, for example), Cloudflare rolls the user's API key. However, the certificate file downloaded through cloudflared
retains the older API key and can cause authentication failures. The user will need to login once more through cloudflared
to regenerate the certificate. Alternatively, the administrator can create a dedicated service user to authenticate.
This means the origin is using a certificate that cloudflared
does not trust. For example, you may get this error if you are using SSL/TLS inspection in a proxy between your server and Cloudflare. To solve this:
- Add the certificate to the system certificate pool.
- Use the
--origin-ca-pool
flag and specify the path to the certificate. - Use the
--no-tls-verify
flag to stopcloudflared
checking the certificate for a trust chain.
An error 1033 indicates your tunnel is not connected to Cloudflare's edge. First, run cloudflared tunnel list
to see whether your tunnel is listed as active. If it isn't, check the following:
- Make sure you correctly routed traffic to your tunnel (step 5 in the Tunnel guide) by assigning a CNAME record to point traffic to your tunnel. Alternatively, check this guide to route traffic to your tunnel using load balancers.
- Make sure you run your tunnel (step 6 in the Tunnel guide).
For more information, here is a comprehensive list of Cloudflare 1xxx errors.
This error occurs when cloudflared
does not recognize the SSL/TLS certificate presented by your origin. To resolve the issue, set the origin server name parameter to the hostname on your origin certificate. Here is an example of a locally-managed tunnel configuration:
This means that your cloudflared access
client is unable to reach your cloudflared tunnel
origin.
To diagnose this, you should look at the cloudflared tunnel
logs. A very often root cause is that the cloudflared tunnel
is unable to proxy to your origin (e.g. because the ingress is mis-configured, or the origin is down, or because the origin HTTPS certificate cannot be validated by cloudflared tunnel
).
If cloudflared tunnel
has no logs, it means Cloudflare Edge is not even able to route the websocket traffic to it.
There are a few different possible root causes behind the websocket: bad handshake
error:
-
Your
cloudflared tunnel
is either not running or not connected to Cloudflare Edge. -
WebSockets are not enabled. To enable them, go to
dash.cloudflare.com
> Network. -
Your Cloudflare account has Universal SSL enabled but your SSL/TLS encryption mode is set to Off (not secure). To resolve:
- On the Cloudflare dashboard for your zone, go to SSL/TLS > Overview.
- Ensure that your SSL/TLS encryption mode is set to either Flexible, Full or Full (strict).
-
Your requests are blocked by Super Bot Fight Mode. To resolve, make sure you set Definitely automated to Allow in the bot fight mode settings.
-
Your SSH or RDP Access application has the Binding Cookie enabled. To disable the cookie, go to Access > Applications and edit the application settings.
Long-lived connections initiated through the Cloudflare Zero Trust platform, such as SSH sessions, can last up to eight hours. However, disruptions along the service path may result in more frequent disconnects. Often, these disconnects are caused by regularly scheduled maintenance events such as data center, server, or service updates and restarts. If you believe these events are not the cause of disconnects in your environment, collect the relevant WARP logs and Tunnel logs and contact Support.
If cloudflared
returns error error="remote error: tls: handshake failure"
, check to make sure the hostname in question is covered by a SSL certificate. If using a multi-level subdomain, an advanced certificate may be required as the Universal SSL will not cover more than one level of subdomain. This may surface in the browser as ERR_SSL_VERSION_OR_CIPHER_MISMATCH
.
If your Cloudflare Tunnel logs returns a socket: too many open files
error, it means that cloudflared
has exhausted the open files limit on your machine. The maximum number of open files, or file descriptors, is an operating system setting that determines how many files a process is allowed to open. To increase the open file limit, you will need to configure ulimit settings on the machine running cloudflared
.
This buffer size increase is reported by the quic-go library ↗ leveraged by cloudflared ↗. You can learn more about the log message in the quic-go repository ↗. This log message is generally not impactful and can be safely ignored when troubleshooting. However, if you have deployed cloudflared
within a unique, high-bandwidth environment then buffer size can be manually overridden for testing purposes.
To set the maximum receive buffer size on Linux:
- Create a new file under
/etc/sysctl.d/
:
- In the file, define the desired buffer size:
-
Reboot the host machine running
cloudflared
. -
To validate that these changes have taken effect, use the
grep
command:
To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traffic through cloudflared
:
-
Ensure that
ping_group_range
includes the Group ID (GID) of the user runningcloudflared
.- To get the Group ID of the user, run
id -g
. - To verify the Group IDs that are allowed to use ICMP:
- Either add the user to a group within that range, or update the range to encompass a group the user is already in. To update
ping_group_range
:
- To get the Group ID of the user, run
-
If you are running multiple network interfaces (for example,
eth0
andeth1
), configurecloudflared
to use the external Internet-facing interface:
In your environment, modify the ping_group_range
parameter to include the Group ID (GID) of the user running cloudflared
.
By default the cloudflared
Docker container ↗ executes as a user called nonroot
inside of the container. nonroot
is a specific user that exists in the base image ↗ we use, and its Group ID is hardcoded to 65532.