Authenticated Origin Pulls feature

Hello Community.

I have received this email and I don’t know what to do:

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

You can find the updated certificate and follow the instructions for updating popular origin servers in this Cloudflare Help Center article:


Same for me. This information, including the support/knowledge base page, doesn’t give me enough information about the multiple domains I use with Cloudflare.

I got this email too. If you have ever used ‘Authenticated Origin Pulls feature’. I think you need to follow ‘Installing on Apache and NGINX’ section to setup origin-pull-ca.pem file :

Question is my win8.1 tells me the origin-pull-ca.pem file’s CA is not trusted. Does anyone know why ?

If you never used this feature before, just ignore it. In my opinion this file can make sure only CloudFlare can visit your web service.

I have zero idea if I have ever used this feature and no idea how to find out.

goto your CloudFlare dashboard, and check if this button set to ‘enabled’.



I’m aware that we can check “Authenticated Origin Pulls” based on your picture by ourselves, but the problem is some people will have multiple domain setup in Cloudflare, so the email is lacking on which domain setup that need to be addressed.

As currently, we only have several ways,

  1. Investing on application which leverage Cloudflare API, so it can automatically check the settings.
  2. Checking the domain setup manually one by one.

Since now we can’t raise ticket issues directly without selecting specific domain which has the problem. This kind of ticket model is troublesome since the issues are general issues, not into specific domain.

I hope from Cloudflare itself check on this topic and help to clear the problem.


1 Like

None of my domains have that setting turned on, so I guess it was a false positive email for telling me to update. Thanks for the assistance, @cloudstrife

How can I tell if Authenticated Origin Pulls are working?

I got an email from CloudFlare saying to add " Authenticated Origin Pulls".

Here is their link:

I did this in Apache:
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

But how can I tell that it is working? They said " To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 ." But I can’t tell if I nailed it, or if there is more.



I received an email from Cloudflare stating my configuration is using Authenticated Origin Pulls feature - I had no idea I was, but ok!

They are requesting I update update my origin server to authenticate with the new authenticated origin pull certificate and give the link here

Problem 1) I have 4 sites on cloudflare, a main one, 2 smaller sites and a domain. Which site is it referring to? There is no message in the Cloudflare dashboard?

Problem 2) I’m on a shared host. I can nearly categorically state they will not install anything. So I’m wondering how this came about that it needs to be reinstalled?

I’ve visited the SSL/TSL settings on my dashboard. Only 1 of the 4 sites mentions I have an origin server certificate which expires in 2031 none of the other sites have this.

They all have Edge certificates as I’m using Cloudflare’s free SSL.

Could someone please help me with the above as I am lost!

Thank you.

You should be able to see which site is set up this way by going to SSL/TLS tab -> origin server and seeing if “Authenticated Origin Pulls” is enabled. You can look at this for all of your domains to see if any of them are enabled.

Note that, since it’s shared hosting, I can almost guarantee that it’s not verifying the origin SSL certificate. What the feature does is make CF present a “TLS client certificate” to your server when establishing a HTTPS connection. The thing is, your server doesn’t stop working if this is turned ON but your server isn’t verifying it (ie. you’ve never implemented authenticated origin pulls). Due to this, you should be fine when the certificate rollover happens since your server doesn’t care about the certificate.


Thank you for the clarification on this Judge.

I did indeed check out the four sites in my account and only one of them has an origin server certificate dated expiry is 2031. But “Authenticated Origin Pulls” is disabled.

I’m guessing this is where the issue (email) came from! I can’t quite recall why it’s set up on this domain like this other than I was probably trying to do the right thing when I set it up a few years back.

I’m guessing if I delete the certificate it won’t make any difference to the site?

Origin certificates are completely different from the Authenticated Origin Pulls feature, do not delete this certificate unless you know exactly what you are doing as there is no undo (nor any harm in leaving it).

If Authenticated Origin Pulls is already off on a site then you don’t need to do anything. If this switch is on, then maybe you need to do something, it depends on whether your origin server is enforcing this requirement or not – You can find out by temporarily turning the switch off (which will break the site, temporarily, if your server is enforcing this requirement) or waiting until the deadline (when you can’t just throw the switch back). Best case, check your server configuration or get someone in to check it.


“Authenticated Origin Pulls” certificate is different from your server certificate. They are two different things. In your case you can just ignore the email (because your “Authenticated Origin Pulls” feature is disabled). The email is sent to everyone I think. Just ignore it :slight_smile:


Thank you. This morning was one of those moments of panic :slight_smile: Thanks for ending it!

1 Like

May I ask if there is a simple way for setting this up in Plesk?
Is there already a “field” in Plesk where we can paste the new origin-pull-ca.pem or do I have to do that manually?

If I have to do that manually this will not be presistent if I move to another Servert as it does not get backupped and restored again, right?

Also: I have installed my SSL Certs on my Server with the origin_ca_rsa_root.pem and the Part from the Origin Certifiate:

This Certificate is valid untill 2034, I dont get why anything is changing now and what benefit we do get from this?
Origin Pull Requests have been working befor, why should it stop now?

Any good explanation on what is different now and who exactly have to take action and who not?

Pretty confused right now. If this was a problem since ever why does we get notified justn now and did it ever worked befor properly?

We have 53 domains on Cloudflare - is there a simple way to find out which domain is affected by this? Massive drain of time to do this one by one.

Right, it’s all about this feature. I use Let’s encrypt on all my websites and never used those origin certificates.

I had the same email. Urgh, sooo confusing. It doesn’t explain how to properly fix the issue.

My knowledge level is low - so i am lost how to resolve the issue below.

An e-mail from Cloudflare today stated “… detected that your configuration is using our Authenticated Origin Pulls feature.”
And mentioned the "expiration of the current certificate is on January 11, 2020 There was a requirement to “… update your origin server to authenticate with the new authenticated origin pull certificate”

There was also mention to: “For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app.”

Background: Last month the site had an Error 525 SSL handshake failure, the free web host recommended to change from “Full” to “Flexible” in order for the site to work and this resolve the error.

The e-mail from Cloudflare also stated: Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /path/to/origin-pull-ca.pem

Then add these lines to the SSL configuration for your origin web server:
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

I haven’t any idea how to achieve the instructions given so any advice would be really helpful.

Also the link on the instruction page was just a blank page in Safari and Chrome.

I checked people with similar issues: Authenticated Origin Pulls feature
But there wasn’t enough instructions how to achieve what is necessary or how to check if authenticated origin pulls are what the dashboard is set to.

Any ideas would be really welcome.