Authenticated Origin Pulls feature

Just had this email

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

Can someone give a straight forward response on what actually needs doing because Cloudflare took the time to send this email but couldn’t be bothered telling me/us…something simple like do x on this page etc

1 Like

Exactly the same e-mail too, I don’t even know which site it refers to. :confused:

It tells us absolutely nothing, shocking way to fob customers off

The email form CF was too confusing, especially with that 30 days notice.
Anyone tried to fix this using plesk / Is there a way to test if this configuration is working on Plesk?

Cloudflare sent the below message by email and I would like to know if anyone can advise on how to configure this on plesk

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

You can find the updated certificate and follow the instructions for updating popular origin servers in this Cloudflare Help Center article: https://support.cloudflare.com/hc/en-us/articles/204899617/

On Plesk, when adding SSL/TLS certificate, you get the below fields to fill:

Private key (.key) which is mandatory.
Certificate (
.crt) * which is mandatory.
CA certificate (*-ca.crt) which is not mandatory.

Where to add the origin-pull-ca.pem certificate to authenticate origin pulls? Also, if added, how to test if it is working?

1 Like


My status showing as above with Expires on 2034-12-07 and Origin pulls ON. Do I still need to replace my old PEM file with the new PEM??? really confusing!!! If I need to to replace the old file with new “origin-pull-ca.pem” file, pls help me by a screnshot for where and how to insert the follwing lines. I’m using cPanel 11

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

Help me…I’m completely novice but somehow was able to activate free SSL but this email now confusing me :frowning:

1 Like

Explicitly, in addition to this discussion in the linked instruction page it says above Apache & NGINX instructions… “Does not work with Railgun”. Railgun is a CF product we have deployed on multiple machines as a certified partner account holder. That said we can deploy the new cert but as it states it won’t work? Or worse, will it break if we DO or DO NOT deploy it?

Yeah I got this email as did my Centmin Mod LEMP stack users. So I wrote an auto renewal updater tool for my Centmin Mod LEMP stack users

./cf-authenticated-origin-cert-update.sh update
------------------------------
domain.com cloudflare authenticated origin cert expires in 23 days on 12 Jan 2020
updating domain.com cloudflare authenticated origin cert
at /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt
succesfully updated /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt
domain.com cloudflare authenticated origin cert now expires in 3604 days on 1 Nov 2029

Note, the instructions at https://support.cloudflare.com/hc/en-us/articles/204899617/ specific for apache and nginx has outdated download link

Download origin-pull-ca.pem

404 not found

curl -I https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem
HTTP/1.1 404 Not Found
Date: Thu, 19 Dec 2019 12:00:08 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d1a76e2b1e4a1532ae613d5dc1b4ffff71576756808; expires=Sat, 18-Jan-20 12:00:08 GMT; path=/; domain=.support.cloudflare.com; HttpOnly; SameSite=Lax
X-UA-Compatible: IE=edge
Cache-Tags: resource:article_attachments#show, pod:pod13
Strict-Transport-Security: max-age=259200;
X-Zendesk-User-Id: 
Cache-Control: no-cache
X-Zendesk-Origin-Server: help-center-unicorn-85d69d9988-kslvb
X-Request-Id: 547936e45e4ced77-SJC
X-Runtime: 0.027279
Protocol: HTTP/1.0
CF-Cache-Status: EXPIRED
Set-Cookie: __cfruid=bd8760c4a7553a53d64faa00a3b596040f652812-1576756808; path=/; domain=.support.cloudflare.com; HttpOnly
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 547936e45e4ced77-SJC

while end page link is updated and works properly

curl -I https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem
HTTP/1.1 200 OK
Date: Thu, 19 Dec 2019 12:03:57 GMT
Content-Type: text/plain
Connection: keep-alive
Set-Cookie: __cfduid=d8af8f10beae86439e1fd89f4903396081576757037; expires=Sat, 18-Jan-20 12:03:57 GMT; path=/; domain=.support.cloudflare.com; HttpOnly; SameSite=Lax
Cache-Control: max-age=10, public
Content-Disposition: attachment; filename="origin-pull-ca.pem"
x-amz-replication-status: COMPLETED
Last-Modified: Fri, 06 Dec 2019 18:00:59 GMT
ETag: W/"3f4e35a401722fbc9a2061330434c583"
x-amz-server-side-encryption: AES256
x-amz-version-id: 96nRyytRsbM_sFSxY5TqfLEkt8sBrmhH
Access-Control-Allow-Origin: *
CF-Cache-Status: REVALIDATED
Set-Cookie: __cfruid=13dfbf829e816ed8c90944ebb13ad1f885daf7cf-1576757037; path=/; domain=.support.cloudflare.com; HttpOnly
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 54793c7ad8395132-SJC

why can’t we have a central download link to make automation easier ?

1 Like

I got this too, we have 150+ websites on cloudflare I cannot check each one it would consume my life.

"Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. "

Means you can tell us which servers it relates to.

Lemmie know.

I received an email saying

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

You can find the updated certificate and follow the instructions for updating popular origin servers in this Cloudflare Help Center article: https://support.cloudflare.com/hc/en-us/articles/204899617/

I have no idea what to do or where to do it and the help article they send you to doesn’t help me either. looking for advice.

Thanks in advance

Hi folks, sorry for the issues here. I’m tracking this with Support and if you can contact them and let them know you received the email, please share your ticket number on this thread. To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help.

2 Likes

I have just been through all 38 domains on my account one at a time (that was fun) checking the SSL > Origin Server page and as I anticipated, the “Authenticated Origin Pulls” option was disabled on all of them.

So, can I and all others in my position conclude that this rather worrying message can be ignored?

Yes, I believe it can be and have asked the engineers for more detail as to why this was received. Apologies for the issues.

Edit - I received an update from the team, if you have Authenticated Origin Pulls disabled on the SSL/TLS app → Origin Server tab, then no action is needed. If Authenticated Origin Pulls is enabled on that tab, When enabled, this feature will add an extra verification on the SSL handshake to assure the request comes from Cloudflare.

If you have Authenticated Origin Pulls enabled for your domain, in order for it to be correctly configured, you need to download an “extra” certificate and install it in your webserver. From that point on your origin will try to validate the request from Cloudflare. It is this extra certificate that is now expiring and needs to be replaced following the instructions here, https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls?source=search.

PS - If you don’t update the pem on the origin server, but the feature is enabled and the extra certificate is not installed, nothing will happen. If this is the case, no action is needed and you can choose to disable the feature.

4 Likes

Could You tell me where to install exactly these on Apache via Control Panel, please!
I mean these lines:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

2 Likes

@cloonan
I already have an SSL on my site that I purchased elsewhere and it works. I added the CF TLS Certificate and the Private Key into WHM (which installed it).

  1. Do I still need to upload the .pem file some place?

  2. Do I need to install the below info and is this installed in the .htaccess file? If not, where is this added?

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

I also got this email (I take it - everyone got this email!)

I’ve checked my sites using the advice on here - ssl > origin certificate, and all mine see to be “off” anyway.

But now I’m actually thinking about using this feature. Good way for cloudflare to get everyone to read what this service is actually doing. Lol.

So basically as I understand, once enabled, and the correct files installed on the server, the server will then only directly let cloudflare access it.

1 Like

Hi @kevinjrape, you only need to add the pem file to your origin server if you have Authenticated Origin Pulls enabled on the SSL/TLS app → Origin Server tab. If that not enabled, you don’t need this extra certificate on your origin server.

1 Like

@PJTC
Hi,
I’m not an expert but I want to write a step-by-step guide to help all of you guys to figure out the confusability :slight_smile:

You guys really really really need to read through this artical and figure out what the ‘Authenticated Origin Pulls feature’ is:
https://support.cloudflare.com/hc/en-us/articles/204899617/

“I have 10000 sites, how do I know which site need to renew the certificate?”

The answer is “you have to check them one by one yourself.”

What? Cloudflare should know which site need to be reconfigured, shouldn’t it?

The truth is, neither CF nor other people know.

First thing first,

‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)
‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)
‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)

Actually, you may need 4 steps to find out whether ‘Authenticated Origin Pulls feature’ is REALLY enabled.

Step 1:
Check your SSL/TLS encryption mode. If it’s been configured as ‘Full (strict)’, go to Step 2.
Otherwise just ignore the email.

Step 2:
Check ’ Authenticated Origin Pulls’ button. If it’s enabled, go to Step 3.
Otherwise just ignore the email.

Step 3:
Check your web server configuration file.
for example, if you have NGINX running on your server, check nginx.conf.
If there are some lines like these:

ssl_client_certificate /your/configuration/path/origin-pull-ca.pem;
ssl_verify_client on;

then go to Step 4.
Otherwise just ignore the email.

Step 4:
Check whether your website can be accessed.
If you can access your website, that means ‘Authenticated Origin Pulls feature’ is REALLY enabled and you need to replace old ‘origin-pull-ca.pem’ file with new one:
https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem
Download it to your server and replace old one. You may get the path of old file from your web server configuration file(e.g nginx.conf above). If you use other software like Apache or something else, google it.

If your website can not be accessed, that means you want to enable this feature but some of your configuration are wrong, google & fix it.

Actually it’s the workflow of the installation of ‘Authenticated Origin Pulls feature’ as CF wrote in the artical above.

This is why I suggest you guys read through the CF support artical above. See, it’s really save your time.
& this is why CF can’t told you which site need to replace the certificate in the email.
& this is why you need to check all of your sites even you have 100000000000 sites, because you are the only one who knows whether the feature has been REALLY used.:slight_smile:

saavy

4 Likes

I managed to install the certificate on the IIS server and I have AOP enabled on Cloudflare for each domain. Now how can I check/test if my end-to-end connection is authenticated?

Thanks for your time. I didn’t find any file named nginx.conf in my origin web server but I have checked all conf file and no where found those lines “ssl_client_certificate /your/configuration/path/origin-pull-ca.pem; ssl_verify_client on;” :frowning: so I decided to be only Full mode not in Full(Strict) mode. So as you said in Full mode I should ignore that email…