Cloudflare Origin Certifcates with IBM Cloud (Cloud Foundry Domain Upload SSL)


#1

Hi, I’m having issues adding my Cloudflare Origin Certificate to IBM Cloud in order to enable SSL between Cloudflare and IBM Cloud.

IBM Cloud allows for the following to be uploaded:

  1. Certificate
  2. Private key
  3. Intermediate certificate (optional)
  4. Client certificate trust store (optional)

I’ve tried adding the certificate and private key as-is, that brought about the error below.

Appending the Cloudflare Root Certificate RSA to the certificate (as stated in https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-Cloudflare-Origin-CA-) results in a similar error as below.

When adding the SSL, I’ve been given the following error:


Add a SSL Certificate for goid.com.sg
Error:
The domain goid.com.sg is not supported by the certificate CN/SAN matches [static.goid.com.sg] and misses [CloudFlare Origin Certificate]."


I’ve contacted IBM Cloud support and they have replied as follows:


Basing on the message: The domain goid.com.sg is not supported by the certificate CN/SAN matches [static.goid.com.sg] and misses [CloudFlare Origin Certificate]." it looks you have 2 problems with this certificate:

  1. the CN is missing ie: I run the command openssl x509 -in static.goid.com.sg.pem -text and it looks the CN is missing .

  2. it misses the CloudFlare Origin Certificate I would suggest to contact the certificate issuer about how to fix this problem.

Basing on their https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-Cloudflare-Origin-CA- they suggest to append the cloudflare_origin_rsa.pem over your static.goid.com.sg.pem but they did not mention detailed steps. More, you need to ask steps about how to add CN in your certificate.

Kind Regards
[REDACTED]


Now I’m stumped on what to do.


#4

Origin certificates do have a CN of “CloudFlare Origin Certificate”, however their SANs match the domains. The error message would leave the impression IBM checks both fields but would expect only one to be valid, which is the case for SAN.

So either they do require both fields to be valid, in which case you couldnt use an origin certificate or they are missing the certificate’s root certificate, in which case it should be enough to provide the certificates listed on the page you linked under “Intermediate certificate”.

I’d try the intermediate certificate route and if that still does not work contact IBM again and ask for further feedback on the actual reason for the error.


#5

Another option to achieve what you want to do (get Cloudflare to communicate securely with your servers), is to get free, valid, well accepted standard certificates, from letsencrypt.org. Those can bear your domain in the CN and also *.yourdomain - and you can use automated generation of these certificates completely outside your servers with DNS validation. And you can do that automatically, and if IBM Cloud has an API (which they likely do) - install them automatically as well; Which you’ll probably want to do, because unlike Cloudflare’s origin certificates… they expire every 90 days. But hey, they’re free.

As a bonus, if you use Let’s Encrypt’s certificates, your site can still work for your users if you have to pause Cloudflare service, either temporarily, or, permanently. You’ll enjoy having your software stack ready to serve users with TLS and won’t need to deal with this and possibly a downtime.

Finally, maybe IBM Cloud themselves have a feature to automatically provision certificates for your service. Amazon has this in AWS, for example - you just add a record in DNS once to prove you own the domain - and they create the cert, install it on their CDN/LB automatically, and the same happens again after a year+ when it’s time to renew. You don’t have to do anything. Just like Cloudflare’s Universal SSL service, but at your origin :slight_smile: So you could ask IBM if they have such a service. Cloudflare do not need THEIR origin certificate - they need a certificate that they can trust - it can be either one they generated - or - any other cert that will validate at your friendly browser.


#6

I’ll need to spin up my Linux VM and test the command


#8

Thanks for the suggestion!

I’m aware that LetsEncrypt does provide free SSL certs, but they’re short-lived. Since I’m not running a dedicated OS, I can’t set up a cron job to re-run Certbot.

Unfortunately, IBM Cloud does not give out certificates for free like AWS does


#9

I’ve tried uploading the Cloudflare Origin CA (RSA) to the Intermediate Certificate (Origin) field on IBM Cloud. Unfortunately, the same error persists.


#10

In that case I’d contact IBM again and clarify what the precise reason for the error is. The CN does not match but the SANs do. If you uploaded the root certificates we should be able to rule that out as well.


#11

IBM Cloud has said that the reason for error:

“the reason of the error is that the CN field in the Subject, points to sni.cloudflaressl.com while the certificate was loaded for the domain goid.com.sg.”


#12

That now seems they attempted to verify the certificate configured on Cloudflare’s servers and not the certificate you provided for your server. I believe they might have mixed that up.

The question should be why they cant verify the origin certificate and that certificate should not have such a CN.


#13

IBM Cloud support has bounced back with asking exactly how to append Cloudfalre Origin CA (RSA) from https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-Cloudflare-Origin-CA-

Currently asking them for the main cause of the original error


#14

I’ve decided to resolve the issue with a workaround;

  1. Add a route to my Cloud Foundry instance on IBM Cloud using one of the System Domains (*.mybluemix.net, etc.).

  2. Change CNAME record for static.goid.com.sg to point to the new route

This has the benefit a valid SSL managed by IBM Cloud


closed #15

This topic was automatically closed after 30 days. New replies are no longer allowed.