I’m setting up a new Ghost instance and after the installation went very well but trying to enable Authenticated Origin Pulls is being a pain since yesterday. I believe I created and detroyed 5 hosts trying to make this work.
but whenever I enable “Authenticated Origin Pulls” on CloudFlare I receive the following error:
** Error 525 - SSL handshake failed **
The Cloudflare certificate (origin-pull-ca.pem) is imported as /etc/ssl/certs/cloudflare.crt
And on nginx domain-ssl.conf I inserted:
FWIW: I didn’t removed the ssel_certificate and ssl_certificate_key (LetsEncrypt).
FWIW²: I’m playing with two domains around this issue. On one of this domains I generated a Origin certificate but no luck as well.
I have to admit that I haven’t tested it with an SSL certificate other that Cloudflare Origin CA certificate being generated at Cloudflare dashboard and then installed at my host/origin, while using Authenticated Origin Pulls.
What Nginx version are you running and you are running on Ubuntu right?
What is the response if you execute the below command (change your origin IP with your real one)?: curl -v --resolve joelteixeira.com:443:[your origin IP] https://joelteixeira.com
Also, have you got ca-certificates installed?
Which openssl version are you running ( openssl version -a)?
Is the SSL certificate a valid one and not being expired?
Are both of the A www and A yourdomain.com (or CNAME?) being cloud?
My vhost file for mydomain looks like this below:
Allowed Cloudflare IP addresses to connect to my host/origin.
Checked and enabled SSL and 443 port at my host/origin.
Make sure it rewrites from HTTP to HTTP at host/origin too (while keeping non-www to www redirection).
Having generated an Cloudflare Origin CA certificate and installed it at my host/origin.
Enabled Authenticated Origin Pulls option and added an Authenticated Origin Pulls certificate too.
Enabled Full SSL (Strict) at Cloudflare dashboard.
Having both Always Use HTTPS and Automatic HTTPS Redirection enabled.
* Expire in 0 ms for 6 (transfer 0x7928b0)
* Added joelteixeira.com:443:[MY_IP] to DNS cache
* Hostname joelteixeira.com was found in DNS cache
* Trying [MY_IP]...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7928b0)
* connect to [MY_IP] port 443 failed: Connection refused
* Failed to connect to joelteixeira.com port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to joelteixeira.com port 443: Connection refused
ca-certificates is already the newest version (20210119~20.04.1).
For some reason, only happens with the origin certificate.
It’s not, I’m keeping the Origin setting ON for now.
It works if I turn off together with the Origin Pulls and remove the ssl_client_certificate and ssl_verify_client lines from joelteixeira.com-ssl.conf.
I did not knew this mozilla tool, nice tip. Thank you again @fritexvz. I’ll play a little with it.
FWIW: The only modification after the deploy of this server was the ghost install process (and its dependencies). I’ll try to start a new one and set up SSL before installing ghost.
There are 2 errors actually, 403 and 525
Error 403: Forbidden
If you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are: 1. Permission rules you have set or an error in the .htaccess rules you have set 2. Mod_security rules. 3. IP Deny rules Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare’s IPs aren’t being blocked.
Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren’t covered by any Cloudflare or uploaded SSL certificate.
If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:
Web Application Firewall challenge and block pages
Basic Protection level challenges
Most 1xxx Cloudflare error codes
The Browser Integrity Check
If you’re attempting to access a second level of subdomains (eg- *.*.example.com ) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.
If you have questions contact Cloudflare Support and include a screenshot of the message you see or copy all the text on the page into a support ticket.
Error 525: SSL handshake failed
525 errors are often caused by a configuration issue on the origin web server. Error 525 occurs when these two conditions are true:
The SSL handshake fails between Cloudflare and the origin web server, and
The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server
If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level.
Found it. It’s present on this file: /etc/nginx/snippets/ssl-params.conf
that is referencied on my domain-ssl.conf: include /etc/nginx/snippets/ssl-params.conf;
It seems is something related to this, I’m still troubleshooting here but when I deleted all my domain.conf files and rebuilt it using the configuration that you kindly inserted on your first answer it worked. Trying parameter by parameter here to identify exatcly what.
@AppleSlayer thank you for your input as well. I don’t know deeply this configurations and the bullets that you and @fritexvz are pointing it’s extremally helpful.
While I don’t have any problems with CF Authenticated Origin Pulls myself, without knowing your setup, maybe better to ditch it and use a better alternative on offer from Cloudflare now - Argo Tunnels via CF Teams free subscription does what Authenticated Origin Pulls does too protect non-CF IP access to site once you configure your origin server firewall to block all non-CF IP traffic. I wrote a guide for Argo Tunnels at https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/ for my users
you can also try troubleshooting by changing temporarily to ssl_verify_client optional;Module ngx_http_ssl_module and restart nginx and retest via curl verbose request to your real server IP and see the header output
You are proxying your Ghost app over a HTTP on a port and the outgoing port is 443, right?
I am a bit afraid about this one as it could be out of scope of this forums regarding the Nginx configuration at your host/origin.
But, at first, and in few tires as far as you written, it actually works as you have it so close done within the stated as needed.
If we continue to reply I am not sure if you would manage to get it working without any assistance from someone else, because I do not see a Cloudflare issue here and seems to me it has nothing to do with Cloudflare so far.
I see you understand what you need to do, and you have setup it kind a good, just there are some misconfigurations in between.
I am sorry, but I have not yet used Ghost setup on Nginx over proxy_pass, and having a separate config for HTTP and HTTPS, so I really cannot provide any other better suggestion.
Kindly, may I ask if you can try adding some other domain and try to setup Cloudflare using Cloudflare Origin CA Certificate and enable the Authenticated origin Pulls for that domain and see how that works out and reply back here?
I mean not using Ghost, just a simple php file like “Hello world” if you can get it working with above stated?
I don’t have this code inside my file. You are right. The best from beginning would be set a minimal enviroment just to validate this setting. After the deploy I just installed the dependencies and run the ghost installer. Looks like the way it deploy the webserver is not the ideal indeed.
1 - It’s working now even without the Origin certificate. So in fact the Origin Pulls can work with the LetsEncrypt certificate that is auto generated during Ghost install.
2 - Better late than never. With all the help and support from you guys I finally know what was causing the handshake error. I did my best to restore everything it was exactly on the beginning and changing one single line it worked:
Inside joelteixeira.com-ssl.conf I have this line: include /etc/nginx/snippets/ssl-params.conf;
and inside /etc/nginx/snippets/ssl-params.conf ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Exactly fritexvz. When I rebuilt a new configuration based on yours and worked I started test every setting to understand which exatcly was affecting. In a next opportunity I will be more careful to reference all related files. Thank you man.