# RPC Endpoint SSL Issue - Summary **Date**: 2026-01-04 **Endpoint**: `rpc.public-0138.defi-oracle.io` **Issue**: SSL handshake failure (error 35) --- ## Current Status ### Test Results ```bash # HTTP (port 80) - Redirects to HTTPS curl rpc.public-0138.defi-oracle.io # Result: 301 Moved Permanently → https://rpc.public-0138.defi-oracle.io/ # HTTPS (port 443) - SSL Handshake Failure curl https://rpc.public-0138.defi-oracle.io # Result: SSL handshake failure (error 35) ``` --- ## Root Cause **Multi-level Subdomain SSL Certificate Issue** The hostname `rpc.public-0138.defi-oracle.io` is a **3-level subdomain**: - Level 1: `rpc` - Level 2: `public-0138` - Level 3: `defi-oracle.io` Cloudflare's **Universal SSL certificate** only covers: - Apex domain: `defi-oracle.io` ✅ - One-level subdomains: `*.defi-oracle.io` ✅ - **NOT multi-level subdomains**: `rpc.public-0138.defi-oracle.io` ❌ --- ## Configuration Status ### ✅ Correctly Configured 1. **DNS Record**: ✅ Proxied (orange cloud) - Type: CNAME - Target: `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com` - Proxy: Enabled 2. **Tunnel Configuration**: ✅ Correct - Tunnel ID: `26138c21-db00-4a02-95db-ec75c07bda5b` - Route: `rpc.public-0138.defi-oracle.io` → `http://127.0.0.1:80` - `noTLSVerify: true` (correct for HTTP origin) 3. **Nginx Configuration**: ✅ Correct - Routes HTTP → `127.0.0.1:8545` - Routes WebSocket → `127.0.0.1:8546` ### ❌ Missing Configuration **SSL/TLS Certificate**: Multi-level subdomain not covered by Universal SSL --- ## Solutions ### Option 1: Enable Total TLS (Recommended) **Total TLS** automatically issues individual certificates for proxied hostnames not covered by Universal SSL. **Via Cloudflare Dashboard**: 1. Go to **SSL/TLS** → **Edge Certificates** 2. Scroll to **Total TLS** section 3. Click **Enable Total TLS** 4. Wait 5-15 minutes for certificate issuance **Via API** (if available): ```bash # Note: API endpoint may vary, check Cloudflare API docs curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/ssl/universal/settings" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"enabled": true}' ``` ### Option 2: Use Different Subdomain Structure Change DNS record to use a single-level subdomain: - Current: `rpc.public-0138.defi-oracle.io` (3 levels) - Alternative: `rpc-public-0138.defi-oracle.io` (2 levels) ✅ This would be covered by Universal SSL. ### Option 3: Upload Custom Certificate Upload a custom SSL certificate that covers the multi-level subdomain. --- ## Recommended Action **Enable Total TLS** in Cloudflare Dashboard: 1. This is the cleanest solution 2. Automatically handles all multi-level subdomains 3. No DNS changes needed 4. No certificate management required --- ## Verification After enabling Total TLS, test the endpoint: ```bash # Test HTTPS endpoint curl -X POST https://rpc.public-0138.defi-oracle.io \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' # Expected: {"jsonrpc":"2.0","id":1,"result":"0x8a"} ``` --- ## Current Workaround If you need immediate access, you can use `--insecure` flag (not recommended for production): ```bash curl --insecure -X POST https://rpc.public-0138.defi-oracle.io \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' ``` **Note**: This bypasses SSL verification and should only be used for testing. --- **Last Updated**: 2026-01-04 **Status**: SSL certificate issue identified, Total TLS recommended