proxmox/reports/status/RPC_SSL_ISSUE_SUMMARY.md

# RPC Endpoint SSL Issue - Summary

**Date**: 2026-01-04  
**Endpoint**: `rpc.public-0138.defi-oracle.io`  
**Issue**: SSL handshake failure (error 35)

---

## Current Status

### Test Results

```bash
# HTTP (port 80) - Redirects to HTTPS
curl rpc.public-0138.defi-oracle.io
# Result: 301 Moved Permanently → https://rpc.public-0138.defi-oracle.io/

# HTTPS (port 443) - SSL Handshake Failure
curl https://rpc.public-0138.defi-oracle.io
# Result: SSL handshake failure (error 35)
```

---

## Root Cause

**Multi-level Subdomain SSL Certificate Issue**

The hostname `rpc.public-0138.defi-oracle.io` is a **3-level subdomain**:
- Level 1: `rpc`
- Level 2: `public-0138`
- Level 3: `defi-oracle.io`

Cloudflare's **Universal SSL certificate** only covers:
- Apex domain: `defi-oracle.io` ✅
- One-level subdomains: `*.defi-oracle.io` ✅
- **NOT multi-level subdomains**: `rpc.public-0138.defi-oracle.io` ❌

---

## Configuration Status

### ✅ Correctly Configured

1. **DNS Record**: ✅ Proxied (orange cloud)
   - Type: CNAME
   - Target: `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com`
   - Proxy: Enabled

2. **Tunnel Configuration**: ✅ Correct
   - Tunnel ID: `26138c21-db00-4a02-95db-ec75c07bda5b`
   - Route: `rpc.public-0138.defi-oracle.io` → `http://127.0.0.1:80`
   - `noTLSVerify: true` (correct for HTTP origin)

3. **Nginx Configuration**: ✅ Correct
   - Routes HTTP → `127.0.0.1:8545`
   - Routes WebSocket → `127.0.0.1:8546`

### ❌ Missing Configuration

**SSL/TLS Certificate**: Multi-level subdomain not covered by Universal SSL

---

## Solutions

### Option 1: Enable Total TLS (Recommended)

**Total TLS** automatically issues individual certificates for proxied hostnames not covered by Universal SSL.

**Via Cloudflare Dashboard**:
1. Go to **SSL/TLS** → **Edge Certificates**
2. Scroll to **Total TLS** section
3. Click **Enable Total TLS**
4. Wait 5-15 minutes for certificate issuance

**Via API** (if available):
```bash
# Note: API endpoint may vary, check Cloudflare API docs
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/ssl/universal/settings" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enabled": true}'
```

### Option 2: Use Different Subdomain Structure

Change DNS record to use a single-level subdomain:
- Current: `rpc.public-0138.defi-oracle.io` (3 levels)
- Alternative: `rpc-public-0138.defi-oracle.io` (2 levels) ✅

This would be covered by Universal SSL.

### Option 3: Upload Custom Certificate

Upload a custom SSL certificate that covers the multi-level subdomain.

---

## Recommended Action

**Enable Total TLS** in Cloudflare Dashboard:
1. This is the cleanest solution
2. Automatically handles all multi-level subdomains
3. No DNS changes needed
4. No certificate management required

---

## Verification

After enabling Total TLS, test the endpoint:

```bash
# Test HTTPS endpoint
curl -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# Expected: {"jsonrpc":"2.0","id":1,"result":"0x8a"}
```

---

## Current Workaround

If you need immediate access, you can use `--insecure` flag (not recommended for production):

```bash
curl --insecure -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

**Note**: This bypasses SSL verification and should only be used for testing.

---

**Last Updated**: 2026-01-04  
**Status**: SSL certificate issue identified, Total TLS recommended