400 (Bad Request) with Cloudflare SSL on Windows Admin Center

On a clean HyperV Server 2019 (Workgroup: WORKGROUP, Computer name: Example), I’m trying to setup a Cloudflare certificate to make it work with Windows Admin Center. The steps I have done are the following:

  1. On Cloudflare domain create (generate) a Origin Certificate ECDSA and set the SSL encryption to Full (strict)
  2. Generate (using my personal computer) cert.pfx
    openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt
  3. Transfer the cert.pfx on server and import it with powershell using
    $CertificatePassword = ConvertTo-SecureString 'XXX' –asplaintext –force Import-PfxCertificate -FilePath "D:\Certificate\cert.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $CertificatePassword
  4. Install WindowsAdminCenter1910.msi setting certificate thumbprint
  5. Finally import the “cloudflare_origin_ecc.pem” Import-Certificate -FilePath "D:\Certificate\origin_ca_ecc_root.pem.crt" -CertStoreLocation Cert:\LocalMachine\Root

Connecting to https://example.com I get most of the time HTTP ERROR 400 and anyway it can’t load resources (randomly). Take for example favicon of WAC at https://example.com/favicon.ico?v=1.0.0 it returns 400, but after like 10 times of refreshing the page it works. Reloading it again still 400.

What’s wrong?

When you connect to your server directly (bypassing Cloudflare) does the connection work, apart from the certificate warning (because of the origin certificate)?

Yes, I confirm it work leaving the cloud grey (exactly, it work but with certificate warning). Putting again the orange cloud I get the 400

Considering you said your SSL mode is “Full strict” that shouldnt happen, especially not a 400.

At this point you’d need to post the URL (and preferably the server IP address), otherwise I could only refer you to support.

If possible I prefer to leave url and IP address private, at least for now. Of course I will be happy to share information to the support team if needed.

I noticed that on first connect to url it always asks for the Windows Admin Center login, both if cloud is orange or grey. And just after the authentication I get the 400 (just when proxied).

Actual situation is this:


Ehm, that certificate appears to be an origin certificate however hasnt been signed by Cloudflare but apparently by your Avast installation. In that case it is difficult to say anything as that might compromise the entire communication and could be the reason for that error.

If you cant name the addresses in question I am afraid I can only refer you to support.

Ops sorry :slight_smile: but also disabling Avast I have same situation with 400 when proxied.

Yes please refer me to support. Thanks.

https://support.cloudflare.com/requests/new :wink:

Thanks sandro, as soon as I discover the source of the problem I will update you

If you feel comfortable with it, you could also run two tests (one with the hostname and one with the server IP) at sitemeer.com and post here the exact time when you ran it. They I could try to dig it out and run some checks too.

Yep.

Request at 18.43.15

Request at 18.43.30

Will check it out soon. Give me 20 minutes.

I am able to connect, however I get a basic authentication prompt. Maybe there is a 400 after that, but thats something I cant comment on as I dont get past that.

Exactly, just after login I get the 400. Well, because I have anyway to reinstall entire server when solution found so check this https://pastebin.com/mzf1VGfZ.

I do get 400s via Cloudflare and 200s via a direct connection, however even in the latter case everything is loading very very slowly.

Could it be that you have some sort of rate limiting or sticky IP check? Connections via Cloudflare could come from different IP addresses. Could that be the issue?

At this point I’d recommend to first check the log files on your server for any related errors. My assumption would be the 400s come straight from your server and you should be able to find the reason for them in your logs.

Hmm, just noticed it does not seem to be basic authentication but NTLM authentication. Could that maybe be the issue? Is there any way for you to temporarily disable authentication altogether?

Just a wild guess :smile:

You are looking at a clean installation of the server, so no rate limiting or sticky ip check. I only installed the Windows Server and performed action to install WAC and the certificate, nothing else. Mmm, well I think it’s not possible disable authentication on WAC, arghh :slight_smile:

Any of these defaults maybe?

Anyhow, check the log files, I am somewhat confident they should contain some indicators as to why there is a 400.

I try to take a look. Meanwhile If you want, feel free to connect with the same credentials I sent you on pastebin in RDP (currently I’m in session, throw me out, no problem). Take modify if needed. And thank you very much for the help you are giving me.

Nothing. In Windows Event I can only see 200 request, there is no events about the 400.


For security I have re-entered the protections for the rdp access, if you will need it sandro let me know.

At this point I can only wait for a help from the Cloudflare support.