Connection unsecure with Cloudflare Tunnel

[Life from Scratch]

Hello! I have Jellyfin running in a Proxmox container. I'm accessing it using a Cloudflare Tunnel and a separate container running Cloudflared. I'm stuck behind CGNAT so that seems like my best option. It works, but I'm getting a "connection not secure" warning and it's using HTTP. I thought Cloudflare was supposed to take care of that, but I guess not. Certbot and Let's Encrypt seem like the answer here, but since I'm not using a reverse proxy (technically Cloudflared is my reverse proxy) the documentation doesn't cover my situation. Any guidance is appreciated!

[TheDreadPirate]

Your connection is secure between your server and the cloudflare exit node. After your traffic leaves the exit node it is unencrypted.

[Life from Scratch]

The exit node being my Cloudclared container? That's what I figured was going on. So how do I get an SSL certificate to use HTTPS between the exit node and Jellyfin to get rid of the unsecured connection warning? All the documentation for using Certbot assumes that there's a webserver involved. Can I assume Jellyfin is running on Apache and just use those instructions?

[TheDreadPirate]

No. In cloudflare's infrastructure. But that doesn't change the fact that part of the connection is insecure.

No. Apache/Nginx/Caddy are separate apps from Jellyfin that you need to set up. Additionally, you will need a domain, or a free DDNS domain from DuckDNS.

Most people using containers will use something like Nginx Proxy Manager. It simplifies the setup process for beginners and automates certificate generation and renewal.

[Life from Scratch]

I can't use DDNS because I'm behind CGNAT. I tried. I've got a domain and all that set up. I can access it fine, but I'm still getting the insecure connection notice in the browser. So i have to set up a proxy using Apache/Nginx/Caddy whatever inside the container with Jellyfin just to get an SSL cert with Let's Encrypt to cover the connection between my Cloudflared container and my Jellyfin container? That seems annoyingly over complicated.

[TheDreadPirate]

CGNAT makes everything overly complicated for self hosting.