Cloudflare edge-to-origin client certificate not presented to my origin server

Website, Application, Performance Security
1

Answer these questions to help the Community help you with Security questions.

Have you searched for an answer?
Yes.

Please share your search results url:
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/

  1. “To use a Cloudflare certificate (which uses a specific CA), download the .PEM file and upload it to your origin.”

  2. Configure origin to accept client certs: Nginx ssl_client_certificate…

  3. Enable Authenticated Origin Pulls (globally)

  4. Enable Authenticated Origin Pulls for zone
    https://developers.cloudflare.com/api/operations/zone-level-authenticated-origin-pulls-set-enablement-for-zone
    {"success":true,"errors":[],"messages":[],"result":[],"result_info":{"page":1,"per_page":50,"count":0,"total_count":0}}

When you tested your domain, what were the results?
The Nginx at the origin server displayed:

400 Bad Request
No required SSL certificate was sent
nginx/1.25.1

Describe the issue you are having:
I wish to use Authenticated Origin Pulls (not to be confused with Origin Certificates) for a sub-domain. However, even though the Domain > SSL/TLS > Origin Server > Authenticated Origin Pulls is enabled, and that I have Set Enablement for Zone using API (without custom certificate), Cloudflare edge servers never sent Cloudflare’s shared client certificate to my Nginx web server at the origin.

What error message or number are you receiving?

400 Bad Request
No required SSL certificate was sent
nginx/1.25.1

Nginx Debug Log

39#39: *19 client sent no required SSL certificate while reading client request headers

What steps have you taken to resolve the issue?

  1. Tried uploading a custom certificate / private pair for per-hostname basis instead of zone-level without custom certificate, at
    https://developers.cloudflare.com/api/operations/per-hostname-authenticated-origin-pull-upload-a-hostname-client-certificate
    Enable per-hostname
    https://developers.cloudflare.com/api/operations/per-hostname-authenticated-origin-pull-enable-or-disable-a-hostname-for-client-authentication

  2. Nginx had a different error of “21:unable to verify the first certificate”, meaning the Cloudflare did send my custom certificate to my origin server, but my Nginx could not verify the full certificate chain (e.g. root CA, intermediate CA). This is probably my certificate’s problem but it’s not my question here.

  3. Disable per-hostname using API and delete the custom certificate of per-hostname.

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:

  1. See Above.

Have you tried from another browser and/or incognito mode?
Yes, same error.

Please attach a screenshot of the error:

error
error1003×441 55.9 KB

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.