So just got back to this... so if it is parked on the bun you need to change the nameservers at cloudflare to actually get the domain to work. Without that step cloudflare can't do much with it. Cloudflare will tell you your own personal cloudflare nameservers, porkbun will have set them to theirs, so firstly find out what the nameservers are set to in cloudflare. Work through this guide

https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/

Once cloudflare has the nameservers and they are resolving, which can take 24 hours, you can then route through your tunnel or whatever...

I'm not familiar enough with Cloudflare's error messages

or deployment with Cloudflare

to know what exact behavior that corresponds to, but I'd guess that most likely it can open a TCP connection to port 443 on what it thinks is your server, but it's not getting HTTPS on that port or your server isn't configured to serve up the right certificate for that hostname or the web server software running on it is otherwise broken. Might be some sort of intervening firewall.

I don't know where your actual server is, may not even be accessible to me. But if you have a Linux machine that can talk to it directly -- including, perhaps, the server itself -- you should be able to see what certificate it's handing back via:

$ openssl s_client -showcerts -servername akaris.space IP-address-of-actual-server:443

That'll try to establish a TLS connection, will send the specified server name so that if you're using vhosting on the server, it knows which site to return, and then will tell you what certificate the web server used. Would probably be my first diagnostic step if I thought that there was a problem with the TLS handshake on a machine I was running.

That might provide enough information to you to let you resolve the issue yourself.

Beyond that, trying to provide much more information probably isn't possible without more information about how your server is set up and what actually is working. You can censor IP addresses if you want to keep that private.

How are you using Cloudflare, and what are you serving the lemmy instance on? I'm guessing it is due to the ssl mode chosen as said before

Set the SSL mode to "Full". Then go to "Rules" and create three rules. This is also the order in which they should be processed:

1.
Name: lemmy u all
Custom filter expression: URI path equals /u/*
All other options disabled.

2.
Name: lemmy nodeinfo all
Custom filter expression: URI path equals /nodeinfo/*
All other options disabled.

3.
Name: lemmy inbox all
Custom filter expression: URI path equals /inbox/*
All other options disabled.

This should get your instance running behind Cloudflare's tunnel.

*edited for formatting

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ you could use a less strict mode here