I have received this email and I don’t know what to do:
Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .
To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .
Same for me. This information, including the support/knowledge base page, doesn’t give me enough information about the multiple domains I use with Cloudflare.
I’m aware that we can check “Authenticated Origin Pulls” based on your picture by ourselves, but the problem is some people will have multiple domain setup in Cloudflare, so the email is lacking on which domain setup that need to be addressed.
As currently, we only have several ways,
Investing on application which leverage Cloudflare API, so it can automatically check the settings.
Checking the domain setup manually one by one.
Since now we can’t raise ticket issues directly without selecting specific domain which has the problem. This kind of ticket model is troublesome since the issues are general issues, not into specific domain.
I hope from Cloudflare itself check on this topic and help to clear the problem.
None of my domains have that setting turned on, so I guess it was a false positive email for telling me to update. Thanks for the assistance, @cloudstrife
I did this in Apache:
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem
But how can I tell that it is working? They said " To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 ." But I can’t tell if I nailed it, or if there is more.
Problem 1) I have 4 sites on Cloudflare, a main one, 2 smaller sites and a domain. Which site is it referring to? There is no message in the Cloudflare dashboard?
Problem 2) I’m on a shared host. I can nearly categorically state they will not install anything. So I’m wondering how this came about that it needs to be reinstalled?
I’ve visited the SSL/TSL settings on my dashboard. Only 1 of the 4 sites mentions I have an origin server certificate which expires in 2031 none of the other sites have this.
They all have Edge certificates as I’m using Cloudflare’s free SSL.
Could someone please help me with the above as I am lost!
You should be able to see which site is set up this way by going to SSL/TLS tab → origin server and seeing if “Authenticated Origin Pulls” is enabled. You can look at this for all of your domains to see if any of them are enabled.
Note that, since it’s shared hosting, I can almost guarantee that it’s not verifying the origin SSL certificate. What the feature does is make CF present a “TLS client certificate” to your server when establishing a HTTPS connection. The thing is, your server doesn’t stop working if this is turned ON but your server isn’t verifying it (ie. you’ve never implemented authenticated origin pulls). Due to this, you should be fine when the certificate rollover happens since your server doesn’t care about the certificate.
I did indeed check out the four sites in my account and only one of them has an origin server certificate dated expiry is 2031. But “Authenticated Origin Pulls” is disabled.
I’m guessing this is where the issue (email) came from! I can’t quite recall why it’s set up on this domain like this other than I was probably trying to do the right thing when I set it up a few years back.
I’m guessing if I delete the certificate it won’t make any difference to the site?
Origin certificates are completely different from the Authenticated Origin Pulls feature, do not delete this certificate unless you know exactly what you are doing as there is no undo (nor any harm in leaving it).
If Authenticated Origin Pulls is already off on a site then you don’t need to do anything. If this switch is on, then maybe you need to do something, it depends on whether your origin server is enforcing this requirement or not – You can find out by temporarily turning the switch off (which will break the site, temporarily, if your server is enforcing this requirement) or waiting until the deadline (when you can’t just throw the switch back). Best case, check your server configuration or get someone in to check it.
@dtheme
“Authenticated Origin Pulls” certificate is different from your server certificate. They are two different things. In your case you can just ignore the email (because your “Authenticated Origin Pulls” feature is disabled). The email is sent to everyone I think. Just ignore it
May I ask if there is a simple way for setting this up in Plesk?
Is there already a “field” in Plesk where we can paste the new origin-pull-ca.pem or do I have to do that manually?
If I have to do that manually this will not be presistent if I move to another Servert as it does not get backupped and restored again, right?
Also: I have installed my SSL Certs on my Server with the origin_ca_rsa_root.pem and the Part from the Origin Certifiate:
This Certificate is valid untill 2034, I dont get why anything is changing now and what benefit we do get from this?
Origin Pull Requests have been working befor, why should it stop now?
Any good explanation on what is different now and who exactly have to take action and who not?
Pretty confused right now. If this was a problem since ever why does we get notified justn now and did it ever worked befor properly?
My knowledge level is low - so i am lost how to resolve the issue below.
An e-mail from Cloudflare today stated “… detected that your configuration is using our Authenticated Origin Pulls feature.”
And mentioned the "expiration of the current certificate is on January 11, 2020 There was a requirement to “… update your origin server to authenticate with the new authenticated origin pull certificate”
There was also mention to: “For authenticated origin pulls to work, use FullSSL in the Cloudflare SSL/TLS app.”
Background: Last month the site had an Error 525 SSL handshake failure, the free web host recommended to change from “Full” to “Flexible” in order for the site to work and this resolve the error.
The e-mail from Cloudflare also stated: Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /path/to/origin-pull-ca.pem
Then add these lines to the SSL configuration for your origin web server:
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem
I haven’t any idea how to achieve the instructions given so any advice would be really helpful.
I checked people with similar issues: Authenticated Origin Pulls feature - #2 by wrburgess
But there wasn’t enough instructions how to achieve what is necessary or how to check if authenticated origin pulls are what the dashboard is set to.