Authenticated Origin Pulls without a certificate, is it posible/recommended?

Hello community,

I wonder whether it’s possible to have Authenticated Origin Pulls activated on a website without having a certificate on the server side behind Cloudflare, and whether that’s recommended in case it is doable. The reason is that I have several websites that would need updated Letsencrypt certificates, and doing the task of updating each certificate by hand using has become tedious. Also doing the update via Letsencrypt Certbot is not an option since they log the IP from where the certificate has been requested.

Any help of comment would be very much appreciated.

Authenticated origin pulls are possible due to a TLS feature called client certificates, where CF will present its own TLS certificate to your server. Unfortunately this is tied to TLS itself so there’s no way to do this over HTTP (/flexible mode).

However, it’s generally fine to either use a CF Origin certificate or a self signed certificate as the TLS certificate on your server if you don’t have any applications that bypass CF (such as HTTP cron on the same server, most of the time you won’t need to worry about this).

If you use an origin certificate, you can continue to use the “full (strict)” SSL mode that verifies the authenticity of your origin’s server certificate. If you use a self-signed, you’ll have to use non-strict “full” encryption that doesn’t verify the certificate’s authenticity.

If you use certbot issued LE certificates, you could solve something like a CF bypass by implementing authenticated origin pulls or firewalling connections based on the CF source IP. If this is not the issue you’re facing, reply back and there may be a better solution.


Thank you very much, it really helped me a lot.

This topic was automatically closed after 30 days. New replies are no longer allowed.