At 6:49 Denver/America time today I migrated the DNS nameservers to Cloudflare. This propogated quickly, but inadvertently I had set the SSL/TLS Encryption mode to Flexible, which resulted in Cloudflare attempting to encrypt traffic between itself and the server. But programming.dev already has its own certificate. Cloudflare expects http traffic to come from the origin server, not https, so when it received https it simply tried over and over again, resulting in failure to connect.
Switching the SSL/TLS setting to Full (Strict) fixed the issue. Sorry about that everyone! I’ll try to not break stuff that badly in the future.
Hypothetical: If we ever upgraded to http/3, how does Cloudflare handle this? My understanding is that http/3 can only use the https protocol, given QUIC transport underneath http/3 only supports TLS 1.3, and never clear text.
Would Cloudflare then have to proxy https with man-in-the-middle certs, or would our backend always be limited to http/1.2? I’ve not found and proxy examples for having end-to-end http/3 and QUIC support just yet.