400 Bad Request due to expired Origin Pull Certificate

I’ve just fallen prey to this:

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

A site has gone down with a 400 Bad Request because the Origin Pull Certificate expired today. I’ve supplied my hosts with the updated origin-pull.ca.pem file and pointed them to the Apache/NGNIX settings they need to add to update the certificate.

But my hosts arer being criminally slow. In a bid to get the site back online, I quickly disabled the SSL/TLS > Origin Server > Authenticated Origin Pulls option. And I lowered my encryption mode from Full (Strict) to Full.

However the site is still displaying a 400 Bad Request. Is that normal behaviour? Surely I’m telling CF to ignore the CF Origin Pull Certificate on the origin server, while my hosts get their act together.

Any clues?

This is correct behaviour. When properly configured on the server, the server will reject any request that does not present the correct client certificate.

There is literally nothing you can do until the origin server’s configuration is updated.

Argh. And if I turned Origin Pull Requests Off it still wouldn’t make a difference because the server still has the old setting to the expired certificate? Nightmare.

In an emergency, I’d switch hosts. To someone not criminally slow. Or even see if you can clone your site within your host, then change the domain name so it’s on a new config.

I shudder to think about cloning it. It’s got an “above the root” set up that took a long time to set up with the current hosts. I’d hate to go through that again with them.

Ok…well, good luck.

This topic was automatically closed after 30 days. New replies are no longer allowed.