Cloudflare Origin Server certificate considered as having the wrong issuer

Hello all!

I need to enable mTLS on my new server, so I followed my hosting provider and Cloudflare’s tutorials for that.

  • I created a new Origin Server certificate for my domain name + a wildcard
  • I added it to the server through my hosting provider CLI
  • I checked that the SSL protection on Cloudflare was full strict and that mTLS was enabled
  • I downloaded Cloudflare Origin PSA PEM (the one in the documentation, not the one that I created) and added it to my server as my provider asked

But we have errors 520 when going to the website.
And strange thing: the certificate I created is considered by my provider analyzer as having the incorrect issuer. I tried in another test tool, and the result was the same, the certificate is not trusted, “This server’s certificate chain is incomplete.”.

What can I do?

Thanks in advance!

mTLS (mutual) is used for Authenticated Origin Pull, or authenticating visitors, from the rest of your description I think you are just trying to add an SSL certificate to your origin.

In which case, when using the Cloudflare origin certificate, note this…

“Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.”

That’s indeed what I’m trying to do, but for now it works on none of the subdomains, and I tried for hours with the support team of my hosting provider, without any success. They say it’s a Cloudflare problem, and indeed if the certificate is considered as insecure…

Are the subdomains proxied? If not, then it won’t work for the reason shown. The certificate is trusted by Cloudflare only, not browsers. You will either need to enable the proxy, or use a certificate from a CA like Letsencrypt or other on your origin.

I have three subdomains on this server (including the www), and all three are proxied.

Other than warning about the certificate (which at least confirms it is there), does HTTPS direct to the origin work? (Pause Cloudflare or try the subdomains as “DNS only” to bypass Cloudflare).

When you generated the origin certificates, did they cover the wildcard *.example.com (or the subdomains specifically).

[add]

Sorry, just seen this…

Looks like you’ve downloaded the Origin Pull CA (hence your mTLS confusion), that’s not for usual SSL connections. You need to generate origin certificates as here…

1 Like

I still have the issue in DNS only mode.

Yes the certificate covers everything with a wildcard.

Regarding the Cloudflare Origin PSA PEM, I did what the tutorial on my hosting provider was saying here. And I tried both certificates without any success. Now my provider says the problem is related to the certificate being considered as not secure.

What is the domain name? Keep it DNS only for now.

It is slate.fr. Right now the apex points to www, and www to the current version of our website. And I was doing my tests on stage.slate.fr.

I can’t change to DNS only on the www and apex right now, I can’t risk downtime in the middle of the day, we have to many people on the website.

Can you set stage.slate.fr to DNS only? (I assume it’s pointing at the same origin with the same configuration?)

[edit] or just give the IP/hostname of the origin server. Just want to make a direct connection and see what happens in the SSL handshake and the certificate.

Alright it’s DNS only now on stage!

Do you think it can be because the certificate I generated is valid for 14 years? Should I just generate it for a year?

The SSL certificate is working fine (I connect using --insecure because, as noted above, this certificate is only trusted by Cloudflare). But it seems you have also configured your server to ask for a client certificate. That is what you would do if you were implementing an authenticated origin pull (mTLS). I’m still not clear if that’s also what you are trying to achieve. If not, turn that off. (And if you are, I would also turn it off for now so you can prove to yourself the SSL certificate is ok via Cloudflare).

curl -Ivv https://stage.slate.fr --insecure
*   Trying 90.84.46.40:443...
* Connected to stage.slate.fr (90.84.46.40) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Jan 19 04:03:00 2024 GMT
*  expire date: Jan 15 04:03:00 2039 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55fa9d7f9e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/2
> Host: stage.slate.fr
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, unknown (628):
* OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host stage.slate.fr left intact
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0 

Yes that’s what I’m trying to do, because it’s what my provider told me to do, so I followed their guide : https://support.platform.sh/hc/en-us/community/posts/16439502516242

Bear with me while we pick this apart slowly to get it right.

So are you happy that the Cloudflare origin certificate (just for the initial SSL, the 14 year one) is OK for you? I suggest you prove to yourself that works first. So set stage back to be proxied, turn OFF mTLS in your server configuration and make sure the site works on Cloudflare without using a client certificate. It should work ok through Cloudflare.

When that’s working ok, we can go back and work through the origin pull setup.

I generated this new certificate only because I don’t have the private key to the certificate currently in place on the server running slate.fr (which is not the same, since we’re switching offers for our new website). I let the 14 years value because it was the default one, but I can try with a shorter one.

I deactivated mTLS in Cloudflare and switch the proxy back on. I will remove the mTLS config from the server and let you know!

No need, leave it alone. The connection SSL and mTLS are separate tasks and it will be impossible to fix if you mess with both at once. Get the SSL connection working first, then you know that’s ok. Only then start to do the mTLS configuration.

I removed the certificate check on the routes, and it seems to work now.

I still don’t understand why the certificate is considered as not trustable by certificates checker though.

Because it is not signed by a CA that’s trusted by a browser, it is trusted by the Cloudflare proxy though and in the real world, no-one apart from Cloudflare should ever be connecting directly to your origin.

If you want a certificate that’s trusted by a checker/browser, then you’ll have to install a Letsencrypt certificate or similar instead of the Cloudflare origin certificate.

Don’t confuse that with the mTLS cert though.

As the SSL certificate is working ok, you can now work through the instructions to enable mTLS authenticated origin pulls.

I note that your host’s instructions ask you to get the “Cloudflare Origin CA PEM”. For origin pull, it should be the cert as described here (which says not to confuse them) so you might want to double check that with your host…

1 Like

Alright I understand what you’re saying about the certificate not being valid (all those questions are not my strong suit :cold_sweat:). Should I install a trusted certificate in addition to the mTLS one?

And if I’m not mistaking, the Cloudflare page says approximately what my provider says in its guide right? To use Cloudflare Origin RSA PEM on all the routes of my app, and not the one I generated?