🐛Tunnel with mTLS - using Chrome (Mobile/ Ubuntu) doesn't work
spinnaker1 opened this issue · comments
Describe the bug
Using a cloudflared tunnel with requirement valid certificate (mTLS), since 2 weeks, using Chrome v.116.0.5845.187 (Ubuntu) suddenly stopped working with certain ISP DNS servers.
If I use the ISP's (T-Mobile) DNS servers, the mTLS feature doesn't work. If I use Adguard private DNS, it works without problems.
How the error looks:
Either the choose certificate popup dialogue doesn't open or the choose certificate popup opens, but Cloudflare refuses connection with error: forbidden, 403, default cloudflare page.
Same error result in private mode. Fresh installation. No browser extensions. But using Firefox (Ubuntu) it works, without problems - regardless of the DNS server used.
To Reproduce
Steps to reproduce the behavior:
- Configure cloudflared tunnel with require valid mTLS certificate to connect
- Use Chrome (Ubuntu) or Chrome (Android) to open website.
- See error
If it's an issue with Cloudflare Tunnel:
4. Tunnel ID : tba
5. cloudflared config: tba
Expected behavior
Open choose certificate dialogue popup on Chrome and connect to website. Like it used to work about 2 weeks ago.
Environment and versions
- OS: Ubuntu Mate 22.04 LTS / Android 13
- Architecture: Server ARM64 (not soc raspberry)
- Version: latest
Logs and errors
no error in logs
Additional context
It used to work without any issues for months, 2 weeks ago. But suddly stopped working. Only affecting Chrome browser.
I found the issue and a solution. What's causing it, is a default setting in Chrome:
Use DNS https alpn
When enabled, Chrome may try QUIC on the first connection using the ALPN information in the DNS HTTPS record. – Mac, Windows, Linux, ChromeOS, Android
chrome://flags/#use-dns-https-svcb-alpn
--> set to Disabled to fix the Cloudflare Tunnel mTLS issues.