Cannot get CloudFlare origin SSL cert to work

@someguyUSA Hope below helps in your case. Worked for me 1-2 hours ago and still working.

I am sharing what I’ve checked, tested and done in past hour-two.

Since my Namecheap Sectigo is expiring on Sept 22 this year (1 month), I’ve gone again through this and done it as follows to achieve it working (at least in my case).

You can download my converted and used Cloudflare Origin CA Root (RSA) and Authenticated Origin Pull (RSA) as .p7b from link below (step 22-23):

Sharing step-by-step and screenshoots:

  1. Port 80 and 443 are open for inbound and outbound traffic on Fortigate router in Firewall Policy along with other ports needed (custom RDP, etc.)
  2. Running Windows Server 2012 R2 x64
  3. Ports 80 and 443 allowed inbound and outbound on Windows Firewall
  4. Running IIS 8.5
  5. Under IIS, selected My Server → Server Certificates
  6. Right sidebar → Create Certificate Request
  7. Filled-in Common name (sub.domain.hr), Organization, unit, city, state country …
  8. Selected “Microsoft RSA” and “2048” bit
  9. Saved the CSR output to a csr.txt file
  10. Copied the output
  11. Went to CF Dashboard → SSL/TLS → Origin Server → Create Certificate
  12. Selected Use my private key and CSR, Hostnames → sub.domain.hr (only that one particular, nothing else), 15 years and hit “Create” button
  13. Saved the output as PKCS7
  14. Renamed it to the subdomainhr.cer
  15. Went to the IIS → selected my Server → Server Certificates → Complete Certificate Request from right sidebar
  16. Selected the subdomainhr.cer file, added friendly name and selected “Personal”
  17. Opened certlm (Certificates - Local Computer)
  18. Under “Personal” I can see my Cloudflare Origin CA certificate
  19. Under “Trusted Root Certification Authorities” I go to right click All Tasks → Import
  20. Selected “Local Machine”
  21. Downloaded:
    a) Cloudflare Origin RSA PEM (Origin CA certificates | Cloudflare SSL/TLS docs)
    b) Cloudflare Authenticated Origin Pull PEM (https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem)
  22. Converted both PEM certs via SSL Converter (SSL Converter - Convert SSL Certificates to different formats) from “Standard PEM” to “P7B/PKCS#7” (made sure to upload them one by one only under the field “Certificate File to Convert”)
  23. Downloaded the convereted ones as .p7b
  24. Went back to the “Certificates” → Trusted Root Certification Authorities
  25. Right Click → All Tasks → Import and imported each one by one here with double-checking to place them into the “Trusted Root Certification Authorities” certificate store
  26. Went to IIS, selected my Website sub.domain.hr
  27. Went to SSL Settings → Require SSL (not checked), Client Certificates is “Ignore”
  28. Right sidebar → Bindings
  29. Having http sub.domain.hr port 80 and public IP
  30. Added https sub.domain.hr port 443 and public IP
  31. Selected https and clicked “Edit”
  32. Type https, IP is IPv4, port is 443, host name is sub.domain.hr, “Require Server Name Indication” is checked and SSL certificate selected the one which I’ve added (only)
  33. Saved
  34. I got warning message “No default SSL site has been created. To support browser withoutn SNI capabilities …”
  35. Made sure Full (Strict) SSL is selected under the SSL/TLS tab of Cloudflare dashboard for the whole zone (no additional Rules configured to separate the sub-domain, except no cache)
  36. Made Sure Authenticate Origin Pulls is enabled
  37. Stopped and started (restart) Web server
  38. Checking HTTP and HTTPS via Chrome on Windows server gives HTTP 404 not found error, however loads fine without any issue and on the “lock icon” I can see Cloudflare Origin Certificate, Origin CA, expiring 2039. (15 years)
  39. Checking via hostname from my home network and mobile phone sub.domain.hr/some-path/phpinfo.php, it’s loading fine and working over HTTPS; no warning, no issue
  40. When I go check the SSL lock icon, since it’s proxied :orange:, it’s showing Let’s Encrypt Cloudflare certificate
  41. Nothing changed in the Apache config file for SSL.

In pictures:

07sni_warning

What I can offer is, voluntarily I could help you with this on demand, however remotely only or via AnyDesk or something if it’s easier for you also to see.