On a clean HyperV Server 2019 (Workgroup: WORKGROUP, Computer name: Example), I’m trying to setup a Cloudflare certificate to make it work with Windows Admin Center. The steps I have done are the following:
On Cloudflare domain create (generate) a Origin Certificate ECDSA and set the SSL encryption to Full (strict)
Generate (using my personal computer) cert.pfx openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt
Transfer the cert.pfx on server and import it with powershell using $CertificatePassword = ConvertTo-SecureString 'XXX' –asplaintext –force Import-PfxCertificate -FilePath "D:\Certificate\cert.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $CertificatePassword
Finally import the “cloudflare_origin_ecc.pem” Import-Certificate -FilePath "D:\Certificate\origin_ca_ecc_root.pem.crt" -CertStoreLocation Cert:\LocalMachine\Root
Connecting to https://example.com I get most of the time HTTP ERROR 400 and anyway it can’t load resources (randomly). Take for example favicon of WAC at https://example.com/favicon.ico?v=1.0.0 it returns 400, but after like 10 times of refreshing the page it works. Reloading it again still 400.
When you connect to your server directly (bypassing Cloudflare) does the connection work, apart from the certificate warning (because of the origin certificate)?
If possible I prefer to leave url and IP address private, at least for now. Of course I will be happy to share information to the support team if needed.
I noticed that on first connect to url it always asks for the Windows Admin Center login, both if cloud is orange or grey. And just after the authentication I get the 400 (just when proxied).
Ehm, that certificate appears to be an origin certificate however hasnt been signed by Cloudflare but apparently by your Avast installation. In that case it is difficult to say anything as that might compromise the entire communication and could be the reason for that error.
If you cant name the addresses in question I am afraid I can only refer you to support.
If you feel comfortable with it, you could also run two tests (one with the hostname and one with the server IP) at sitemeer.com and post here the exact time when you ran it. They I could try to dig it out and run some checks too.
I am able to connect, however I get a basic authentication prompt. Maybe there is a 400 after that, but thats something I cant comment on as I dont get past that.
Exactly, just after login I get the 400. Well, because I have anyway to reinstall entire server when solution found so check this https://pastebin.com/mzf1VGfZ.
I do get 400s via Cloudflare and 200s via a direct connection, however even in the latter case everything is loading very very slowly.
Could it be that you have some sort of rate limiting or sticky IP check? Connections via Cloudflare could come from different IP addresses. Could that be the issue?
At this point I’d recommend to first check the log files on your server for any related errors. My assumption would be the 400s come straight from your server and you should be able to find the reason for them in your logs.
Hmm, just noticed it does not seem to be basic authentication but NTLM authentication. Could that maybe be the issue? Is there any way for you to temporarily disable authentication altogether?
You are looking at a clean installation of the server, so no rate limiting or sticky ip check. I only installed the Windows Server and performed action to install WAC and the certificate, nothing else. Mmm, well I think it’s not possible disable authentication on WAC, arghh
I try to take a look. Meanwhile If you want, feel free to connect with the same credentials I sent you on pastebin in RDP (currently I’m in session, throw me out, no problem). Take modify if needed. And thank you very much for the help you are giving me.