Cannot determine default origin certificate path

I am doing this tutorial: https://developers.cloudflare.com/workers/tutorials/postgres/

My repo is here GitHub - coding-to-music/postgres-cloudflare-docker: Query Postgres from Workers using a database connector. Retrieve data in your Cloudflare Workers applications from a PostgreSQL database using Postgres database connector

cloudflared tunnel list

Shows I have some tunnels, such as

553f30e5-d691-4235-ad24-2a276c241caa blog

I have some config.yml

ls ~/.cloudflared/*.yml
/home/tmc/.cloudflared/config-blog-meme.yml  
/home/tmc/.cloudflared/config-dev-all.yml

I have a cert.pem file

ls ~/.cloudflared/*.pem
/home/tmc/.cloudflared/cert.pem  

Start the Postgres server


cd scripts/postgres

Example:


export TUNNEL_HOSTNAME=postgres-tunnel.example.com

I tried both of these:


export TUNNEL_HOSTNAME=553f30e5-d691-4235-ad24-2a276c241caa

export TUNNEL_HOSTNAME=blog

When I do call this:


docker-compose up

Output


cloudflared_1 | 2022-05-26T07:17:20Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=

cloudflared_1 | 2022-05-26T07:17:20Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=

cloudflared_1 | 2022-05-26T07:17:20Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=

cloudflared_1 | 2022-05-26T07:17:20Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=

cloudflared_1 | failed to create tunnel: couldn't create client to talk to Cloudflare Tunnel backend: Error locating origin cert: client didn't specify origincert path

You appear to be missing a credentials file. This file has the name <TUNNEL ID>.json and will have AcountTag, TunnelSecret and TunnelID which you use with the cert to open the tunnel.

I was able to get all containers to come up with this compose file

version: '2.1'
services:
  postgresql:
    image: docker.io/bitnami/postgresql:11
    container_name: postgres_postgresql_1
    volumes:
      - 'postgresql_data:/bitnami/postgresql'
    environment:
      - 'ALLOW_EMPTY_PASSWORD=yes'
  pgbouncer:
    image: docker.io/bitnami/pgbouncer:1
    environment:
      - POSTGRESQL_HOST=postgresql
      - PGBOUNCER_AUTH_TYPE=trust
    depends_on:
      - postgresql
  cloudflared:
    image: cloudflare/cloudflared:2022.5.1
    volumes:
      - '~/.cloudflared:/etc/cloudflared'
    command: tunnel run -f --url tcp://pgbouncer:6432 <TUNNEL ID>
    depends_on:
      - pgbouncer
volumes:
  postgresql_data:
    driver: local

and a Cloudflared folder of

F:\git\cloudflared-minecraft> ls .\cloudflared\


    Directory: F:\git\cloudflared-minecraft\cloudflared


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/26/2022   4:16 PM            191 9f4bc2b6-2ccf-477b-9e57-f419140dacf9.json
-a----         9/19/2021   9:58 AM           1938 cert.pem
-a----         3/26/2022   4:41 PM            229 config.yml

Couple notes:

  • Having

      environment:
      - TUNNEL_HOSTNAME=${TUNNEL_HOSTNAME}
    

    Will trigger a warning of The property 'hostname' in your configuration is ignored because you configured a Named Tunnel in the property 'tunnel' to run. Make sure to provision the routing (e.g. via 'cloudflared tunnel route dns/lb') or else your origin will not be reachable. You should remove the 'hostname' property to avoid this warning.So you can remove that

  • You are not using an config file as cloudflared expects a config.yml file but you can set it with --config </path/to/config>

2 Likes

Ok cool I’ll look later when I’m at the computer. Thanks much

Here is my ~/.cloudflared directory contents:

-rw--w----  1 tmc tmc  161 May 26 05:57 b98f6dff-6605-43c4-b83a-2315e409920c.json
-rw-rw-r--  1 tmc tmc  155 May 26 05:57 config-dev-all.yml
-rw-rw-r--  1 tmc tmc  155 May 26 05:15 config-blog-meme.yml
-rw--w----  1 tmc tmc  161 May 26 04:59 553f30e5-d691-4235-ad24-2a276c241caa.json
-rw-------  1 tmc tmc 1938 May 26 04:57 cert.pem

The error message says:

cloudflared_1 | 2022-05-26T07:17:20Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=

Yet you can see it above, all required files are there. cert.pem is in the first location on the path

This error message:

cloudflared_1 | 2022-05-26T07:17:20Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=

cloudflared_1 | failed to create tunnel: couldn't create client to talk to Cloudflare Tunnel backend: Error locating origin cert: client didn't specify origincert path

Offers a suggestion about TUNNEL_ORIGIN_CERT yet the supplied docs URL does not provide documentation or an example of how to use it. No idea what it should look like or how to use it. That looks like an item for improvement for the documentation, either point to a different doc URL or add content to that URL.

I will see if I can tweak the docker-compose as you suggested, will update you, thanks.

btw - I want to have multiple tunnels so I would think I need to have the config files separate, but the cert.pem is universal and is correctly located yet it is not being found. Not sure if I am referencing the config file correctly though. I am following the documentation very closely…

Not sure the correct way to have multiple tunnels, should they share one config file or be separate and referenced explicitly rather than assumed to be called config.yml ?

I see the configuration file documentation here:
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/configuration-file/

Here is my ~/.cloudflared directory contents:

-rw-rw-r--  1 tmc tmc  155 May 27 05:53 config.yml
drwxr-xr-x 39 tmc tmc 4096 May 27 02:43 ../
-rw--w----  1 tmc tmc  161 May 26 05:57 b98f6dff-6605-43c4-b83a-2315e409920c.json
-rw-rw-r--  1 tmc tmc  155 May 26 05:57 config-dev-all.yml
-rw-rw-r--  1 tmc tmc  155 May 26 05:15 config-blog-meme.yml
-rw--w----  1 tmc tmc  161 May 26 04:59 553f30e5-d691-4235-ad24-2a276c241caa.json
-rw-------  1 tmc tmc 1938 May 26 04:57 cert.pem

Note that it contains both a cert.pem and config.yml
The config.yml contains:

url: http://localhost:8080
tunnel: 553f30e5-d691-4235-ad24-2a276c241caa
credentials-file: /home/tmc/.cloudflared/553f30e5-d691-4235-ad24-2a276c241caa.json

Here are some environment values

printenv | grep TUNNEL

Output:

TUNNEL_ID=553f30e5-d691-4235-ad24-2a276c241caa
TUNNEL_ORIGIN_CERT=/home/tmc/.cloudflared/cert.pem

When I run this:

docker run -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared tunnel --no-autoupdate --hostname blog.meme-river.com --url http://localhost:8080

Output:

2022-05-27T06:06:30Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2022-05-27T06:06:30Z INF Version 2022.5.1
2022-05-27T06:06:30Z INF GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2022-05-27T06:06:30Z INF Settings: map[hostname:blog.meme-river.com no-autoupdate:true url:http://localhost:8080]
2022-05-27T06:06:30Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2022-05-27T06:06:30Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
2022-05-27T06:06:30Z ERR Couldn't start tunnel error="Error getting origin cert: client didn't specify origincert path"
Error getting origin cert: client didn't specify origincert path

Note that it complains about not finding config.yml and cert.pem - yet both are located first in the search path at ~/.cloudflared (see listing above)

Also, it suggests I supply the environment value TUNNEL_ORIGIN_CERT - but that is incorrect because it is set correctly (see above)

Per this documentation page: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/arguments/

When I add orgincert as an argument:

docker run -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared tunnel --no-autoupdate --hostname blog.meme-river.com --url http://localhost:8080 --originCert /home/tmc/.cloudflared/cert.pem

It replies with:

Incorrect Usage. flag provided but not defined: -originCert

When I remove origincert and add config as an argument:

docker run -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared tunnel --no-autoupdate --hostname blog.meme-river.com --url http://localhost:8080 --config /home/tmc/.cloudflared/config.yml

The response is this:

2022-05-27T06:45:37Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2022-05-27T06:45:37Z INF Version 2022.5.1
2022-05-27T06:45:37Z INF GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2022-05-27T06:45:37Z INF Settings: map[config:/home/tmc/.cloudflared/config.yml hostname:blog.meme-river.com no-autoupdate:true url:http://localhost:8080]
2022-05-27T06:45:37Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2022-05-27T06:45:37Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
2022-05-27T06:45:37Z ERR Couldn't start tunnel error="Error getting origin cert: client didn't specify origincert path"
Error getting origin cert: client didn't specify origincert path

For this docker-compose.yml

version: '2.1'
services:
  postgresql:
    image: docker.io/bitnami/postgresql:11
    container_name: postgres_postgresql_1
    volumes:
      - 'postgresql_data:/bitnami/postgresql'
    environment:
      - 'ALLOW_EMPTY_PASSWORD=yes'
  pgbouncer:
    image: docker.io/bitnami/pgbouncer:1
    environment:
      - POSTGRESQL_HOST=postgresql
      - PGBOUNCER_AUTH_TYPE=trust
    depends_on:
      - postgresql
  cloudflared:
    image: cloudflare/cloudflared:2022.5.1
    volumes:
      - '~/.cloudflared:/etc/cloudflared'
    command: tunnel run -f --url tcp://pgbouncer:6432 553f30e5-d691-4235-ad24-2a276c241caa
    depends_on:
      - pgbouncer
volumes:
  postgresql_data:
    driver: local
docker-compose up

This is the response

postgresql_1   | 2022-05-27 06:52:24.575 GMT [92] LOG:  incomplete startup packet
cloudflared_1  | 2022-05-27T06:52:25Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
cloudflared_1  | 2022-05-27T06:52:25Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
cloudflared_1  | tunnel credentials file not found
postgres_cloudflared_1 exited with code 1

Note that TUNNEL_ORIGIN_CERT is set correctly (see above) and the config file and cert.pem are located where they should be, in ~/.cloudflared

Per this other docker image documentation: Docker Hub!
Tried setting with -v ~/.cloudflared:/home/tmc/.cloudflared
which contains both a cert.pem and config.yml

docker run -v ~/.cloudflared:/home/tmc/.cloudflared cloudflare/cloudflared tunnel --no-autoupdate --hostname blog.meme-river.com --url http://localhost:8080

Output

2022-05-27T08:11:03Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2022-05-27T08:11:03Z INF Version 2022.5.1
2022-05-27T08:11:03Z INF GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2022-05-27T08:11:03Z INF Settings: map[hostname:blog.meme-river.com no-autoupdate:true url:http://localhost:8080]
2022-05-27T08:11:03Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2022-05-27T08:11:03Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
2022-05-27T08:11:03Z ERR Couldn't start tunnel error="Error getting origin cert: client didn't specify origincert path"
Error getting origin cert: client didn't specify origincert path

First time I’ve seen this, by trying another docker image Docker Hub!

The cert.pem is unique to a domain?
So If I want different tunnels for different domains I need different cert.pem? That is not something I have seen in the documentation

docker run -v /home/tmc/.cloudflared:/home/tmc/.cloudflared erisamoe/cloudflared --hostname test.example.com --hello-world --origincert /home/tmc/.cloudflared/cert.pem

Output

2022-05-27T08:25:25Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2022-05-27T08:25:25Z INF Version 2022.5.1
2022-05-27T08:25:25Z INF GOOS: linux, GOVersion: go1.18.2, GoArch: amd64
2022-05-27T08:25:25Z INF Settings: map[hello-world:true hostname:test.example.com no-autoupdate:true origincert:/home/tmc/.cloudflared/cert.pem]
2022-05-27T08:25:25Z INF Environmental variables map[TUNNEL_ORIGIN_CERT:/etc/cloudflared/cert.pem]
2022-05-27T08:25:25Z INF Initial protocol h2mux
2022-05-27T08:25:25Z INF Starting Hello World server at 127.0.0.1:40253
2022-05-27T08:25:25Z INF Starting metrics server on 127.0.0.1:43529/metrics
2022-05-27T08:25:25Z INF Connection established connIndex=0 location=ORD
2022-05-27T08:25:26Z WRN Register tunnel error from server side error="You asked for a tunnel to test.example.com, but your certificate is valid only for [*.meme-river.com meme-river.com]" connIndex=0
2022-05-27T08:25:26Z INF Tunnel server stopped
2022-05-27T08:25:26Z ERR Initiating shutdown error="You asked for a tunnel to test.example.com, but your certificate is valid only for [*.meme-river.com meme-river.com]"
2022-05-27T08:25:26Z INF Metrics server stopped
You asked for a tunnel to test.example.com, but your certificate is valid only for [*.meme-river.com meme-river.com]

Yep - when you do cloudflared login then you select a specific zone in the dashboard to authenticate against.

1 Like