Cloudflare not properly including certificate and key with call to origin server

What I need to do:
Ensure that traffic between Cloudflare and my origin server is encrypted with certificate + key. If not, connection should be refused with 403

I have generated certificate in the “origin server” section, and uploaded the cerificate and key as a single .pfx file to Azure APIM (my origin server), but Cloudflare is not properly including the certificate and key during a call to api.my-domain.com/my_api and I’m getting the 403 from Azure APIM.

Settings:

  • I have full mode on mydomain.com
  • I have a rule that enforces full strict mode on api.mydomain.com/*
  • In the origin server section I have a cert generated for mydomain.com and *.mydomain.com
  • In the origin server section I have another cert generated for api.mydomain.com and *.api.mydomain.com

Behavior:

  • I have debugged to ensure certificates are properly generated, installed, and configured on Azure APIM.
  • Conclusion is that Cloudflare is not presenting the cert + key to Azure APIM

Guess on reason from my part:

  1. Either the origin server certificate for *.mydomain.com is included in the call to api.mydomain.com, instead of the certificate for api.mydomain.com
  2. Or they key is not included in the call. Only the cert is.

Anyone done this setup and/or know the problem?

Assuming you just want an SSL certificate on your origin server, that is straightforward and should just work. That could be a certificate from a CA, like LetsEcnrypt, or as you have done, using Cloudflare’s origin certificate. Most people are using one or other of these and they work fine. Note that the Cloudflare origin certificate is only trusted by Cloudflare so you will get a warning using it directly in your browser.

What happens when visit your origin server in your browser, what certificate is shown? (Can you give the origin server link for testing?)

Or are you asking for something like an authenticated origin pull so Cloudflare actually authenticates with your server? Details here…

Thanks for your reply!

My set up is like this:

  • I have generated 2 cert/keys. 1 in Client Certificates, 1 in Origin Server.
  • My origin server is hosted on Azure. It’s an API service that only accepts POST calls.
  • The client, currently a Postman call, uses the generated Client Certificate cert_key.pfx. This allows communication between client and Cloudflare
  • Cloudflare should use the generated Origin Server cert_key.pfx to communicate with origin server. This is not working.

Important debugs done so far:

  • If I use Client Server cert_key.pfx in postman, and make call via Cloudflare, connection between Cloudflare and Postman works, but between Cloudflare and origin server does not work.
  • If I use the Origin Server cert_key.pfx in postman, and make call directly to origin server, it works.
  • If I allow origin server to be accessed without valid cert/key, it works.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.