ARGO Tunnel - --origin-ca-pool

paul.howard · February 26, 2021, 11:02am

Starting tunnel tunnelID=0bbe8aaf-5994-4771-af33-958ff0bbf54f
Version 2021.2.2
GOOS: windows, GOVersion: go1.15.7, GoArch: amd64
Settings: map[hostname:pan.scspapps.co.uk url:https://localhost:8224]
cloudflared will not automatically update on Windows systems.
Initial protocol h2mux
Starting metrics server on 127.0.0.1:52783/metrics

cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool to specify the path to the certificate pool

We have flexible ssl so the data between browser and cloudflare are encrypted. The certificate is on the webserver. The web server is apache but that doesnt seem to make anydifference as we get the same error message.

can anyone advise what cert its looking for and where the path would be?

Thanks

nuno.diegues · February 26, 2021, 11:16am

Hello @paul.howard ,

That is just a warning to let you know that cloudflared cannot automatically load the system pool of certificates in Windows (due to this limitation: crypto/x509: make SystemCertPool work on Windows? · Issue #16736 · golang/go · GitHub).
If that is a problem, then it is letting you know that you can use the flag --origin-ca-pool to specify the path to the pool to be used.
In most cases I would say that is not a problem/concern and if all is working for you, then the warning is not relevant in your case.

paul.howard · February 26, 2021, 11:40am

Hi Sorry I’ve missed a vital component - the tunnel then doesn’t connect

nuno.diegues · February 26, 2021, 12:08pm

Which error do you observe in cloudflared logs?

paul.howard · February 26, 2021, 2:38pm

ok i’ve run

.\cloudflared tunnel --logfile c:\cloudflare\log.log run panin

{“level”:“info”,“tunnelID”:“0bbe8aaf-5994-4771-af33-958ff0bbf54f”,“time”:“2021-02-26T14:37:19Z”,“message”:“Starting tunnel”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“Version 2021.2.2”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“GOOS: windows, GOVersion: go1.15.7, GoArch: amd64”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“Settings: map[hostname:pan.scspapps.co.uk logfile:c:\cloudflare\log.log url:http://localhost:8224]”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“cloudflared will not automatically update on Windows systems.”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“Initial protocol h2mux”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“Starting metrics server on 127.0.0.1:56069/metrics”}
{“level”:“info”,“time”:“2021-02-26T14:37:19Z”,“message”:“cloudflared does not support loading the system root certificate pool on Windows. Please use --origin-ca-pool to specify the path to the certificate pool”}
{“level”:“info”,“connIndex”:0,“time”:“2021-02-26T14:37:21Z”,“message”:“Retrying connection in 1s seconds”}
{“level”:“info”,“connIndex”:0,“time”:“2021-02-26T14:37:23Z”,“message”:“Retrying connection in 2s seconds”}
{“level”:“info”,“connIndex”:0,“time”:“2021-02-26T14:37:26Z”,“message”:“Retrying connection in 4s seconds”}
{“level”:“info”,“connIndex”:0,“time”:“2021-02-26T14:37:31Z”,“message”:“Retrying connection in 8s seconds”}

This is the log

nuno.diegues · February 26, 2021, 4:21pm

It looks as if cloudflared cannot reach to our edge.

Can you double check that it is possible to egress to our anycast advertised IPs on port 7844 (with the equivalent of a netcat command for Windows) as explained in the top of https://developers.cloudflare.com/cloudflare-one/faq/tunnel/ ?