Good day, for quite some time now I'm using Traefik with Cloudflare Tunnel to access my stuff remotely, which has been working well.
Lately Cloudflare started to push their Encrypted Client Hello (ECH) implementation to free plans, which seems to screw with Traefik's ability to select the certificate to serve.
With strict SNI enabled I now get unrecognized name errors from time to time in any browser I used so far.
Traefik searches for a certificate matching cloudflare-ech.com, which is the encryption endpoint for the outer message part. More on the topic here
It seems that Traefik, at least for now, is not able to dissect the Client Hello from the browser to get to the inner part of the message and in turn serve the correct certificate.
Is there anything I can configure to let the browser or Cloudflare know, that this feature is not supported right now?
Furthermore, I actually would like to use this, but the issue on github is still open.
I've got the same issue.
It seems that Cloudflare has enabled ECH and there's no way to disable it (yet):
Starting in August, 2024, ECH will be gradually released on free zones. It will not be possible to disable it. A toggle will be added to the Cloudflare Dashboard at a later point before ECH is made available for other zone plans.
Weirdly for me the issue happens when I'm accessing the services locally (DNS is resolved to the private IP). In this case the traffic shouldn't go through Cloudflare, still Traefik tries to get the cert for cloudflare-ech.com - not sure why.
Anyway a workaround for Firefox is to turn of ECH by disabling these in about:config:
It seems like per this comment, that the client side support will be released on feburary 2025 with Go version 1.24.
Until then we might have to rely on workarounds.