@PJTC
Hi,
I’m not an expert but I want to write a step-by-step guide to help all of you guys to figure out the confusability
You guys really really really need to read through this artical and figure out what the ‘Authenticated Origin Pulls feature’ is:
https://support.cloudflare.com/hc/en-us/articles/204899617/
“I have 10000 sites, how do I know which site need to renew the certificate?”
The answer is “you have to check them one by one yourself.”
What? Cloudflare should know which site need to be reconfigured, shouldn’t it?
The truth is, neither CF nor other people know.
First thing first,
‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)
‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)
‘Authenticated Origin Pulls’ certificate is NOT your web server certificate(A.K.A ‘Origin Certificates’)
Actually, you may need 4 steps to find out whether ‘Authenticated Origin Pulls feature’ is REALLY enabled.
Step 1:
Check your SSL/TLS encryption mode. If it’s been configured as ‘Full (strict)’, go to Step 2.
Otherwise just ignore the email.
Step 2:
Check ’ Authenticated Origin Pulls’ button. If it’s enabled, go to Step 3.
Otherwise just ignore the email.
Step 3:
Check your web server configuration file.
for example, if you have NGINX running on your server, check nginx.conf.
If there are some lines like these:
ssl_client_certificate /your/configuration/path/origin-pull-ca.pem;
ssl_verify_client on;
then go to Step 4.
Otherwise just ignore the email.
Step 4:
Check whether your website can be accessed.
If you can access your website, that means ‘Authenticated Origin Pulls feature’ is REALLY enabled and you need to replace old ‘origin-pull-ca.pem’ file with new one:
https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem
Download it to your server and replace old one. You may get the path of old file from your web server configuration file(e.g nginx.conf above). If you use other software like Apache or something else, google it.
If your website can not be accessed, that means you want to enable this feature but some of your configuration are wrong, google & fix it.
Actually it’s the workflow of the installation of ‘Authenticated Origin Pulls feature’ as CF wrote in the artical above.
This is why I suggest you guys read through the CF support artical above. See, it’s really save your time.
& this is why CF can’t told you which site need to replace the certificate in the email.
& this is why you need to check all of your sites even you have 100000000000 sites, because you are the only one who knows whether the feature has been REALLY used.