Cloudflare Nginx SSL Not Trusted/400 bad request (No required ssl certificate was sent)

jchan237 · August 14, 2022, 11:20pm

I am having trouble setting up Nginx to use my valid SSL certificate.

I have enabled authenticated origin pulls, and toggled it on and off before, and tried both ways, to no avail. My Nginx conf looks like this:

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;

ssl_session_cache shared:SSL:10m;

ssl_certificate /etc/ssl/certs/vendify-ssl-certificate.pem;
ssl_certificate_key /etc/ssl/private/vendify-ssl-private-key.pem;
ssl_client_certificate /etc/ssl/certs/vendify-CA-CF-Cert.pem;

Now, when I go to the site, the SSL is insecure, because it cannot be verified and trusted.

Then when I add this line to the bottom of the conf file, I get error 400 bad request (No required ssl certificate was sent)

ssl_verify_client on;

Again, I have enabled authenticated origin pulls, so I am not too sure what is going on.

Thanks!

fritex · August 16, 2022, 12:08am

This reminds me a bit on few past topcis

May I ask if that is the .pem file from https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem?

Set up authenticated origin pulls · Cloudflare SSL/TLS docs

Are the DNS records proxied at the Cloudflare dashboard?

May I share my posts and from my colleague here:

jchan237 · August 16, 2022, 12:28am

I have used another CF Certificate, for the origin_CA_RSA_root.pem available [here](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#4-required-for-some-add-cloudflare-origin-ca-root-certificates). Since I am using an origin server certificate. I have not proxied my server because this is for a SMTP server that I am hosting, and I am told that SMTP servers should never be proxied.

jchan237 · August 16, 2022, 12:34am

Also after running the curl curl -v --resolve joelteixeira.com command, the result is as follows:

[email protected]:/etc/ssl/certs# curl -v --resolve joelteixeira.com:443:[IP] https://joelteixeira.com
* Added joelteixeira.com:443:[IP] to DNS cache
* Hostname joelteixeira.com was found in DNS cache
*   Trying [IP]:443...
* TCP_NODELAY set
* Connected to joelteixeira.com ([IP]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

jchan237 · August 16, 2022, 12:41am

I have also replaced the CA Origin RSA Root Certificate with the origin pull certificate, and temporarily turned on proxy, but still got the same issue

jchan237 · August 16, 2022, 12:52am

Just wanted to post one more thing… My ssl certs are not expired, I have openssl v1.1.1f

I have: updated my conf to the ones above, enabled proxying and origin pulls, enabled ssl strict, opened inbound and outbound port 443, and replaced my origin_CA_RSA_root.pem with the Origin pull certificiate. However, it seems like the issue persists…

system · August 31, 2022, 12:52am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.