400 Bad Request - No required SSL certificate was sent

I am getting 400 Bad Request (No required SSL certificate was sent) error when trying to access my subdomain (subdomain.domain.com).

  • I am using nginx/1.14.0 (Ubuntu) and have added the origin-pull-ca.pem from here https://support.cloudflare.com/hc/en-us/articles/204899617
  • I have generated the Edge Certificates and added them to the Nginx configuration file.
  • SSL/TLS encryption mode is Full
  • Authenticated Origin Pulls : is ON
  • On turning Authenticated Origin Pulls OFF - I am able to access the website using https, however, when it is ON I am getting 400 Bad Request.

Authenticated Origin Pull doesn’t use a generated Edge Certificate. It needs a specific cert installed on the server.

https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem

Yes, I have used the one shared in the above link for ssl_client_certificate while I have used the Edge Certificate for ssl_certificate and ssl_certificate_key. Do I need to remove them?

Here is my configuration:

server {

    # SSL configuration
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl        on;
    ssl_certificate         /etc/ssl/certs/<edge_certificate_public>.pem;
    ssl_certificate_key     /etc/ssl/private/<edge_certificate_private>.pem;

    # TLS Authentication
    ssl_client_certificate /etc/ssl/certs/origin_pull_ca.crt;
    ssl_verify_client on;

    server_name <subdomain.domain.com>;

    root /var/www/html;
    index index.php;

    location / {
            try_files $uri $uri/ =404;
    }

}

Would appreciate any help!

That’s what I’ve used on my NGINX server. There should be something in the log that should explain the 400 error.

This topic was automatically closed after 30 days. New replies are no longer allowed.