Cloudflare SSL errors with Let's Encrypt

I’ve started having issues with SSL for domains and subdomains that run through CloudFlare Proxy.

This happens with things like Mattermost server, Nextcloud server, Joplin - their apps report SSL errors. Also my own Python apps report SSL errors when trying to connect to APIs behind CloudFlare Proxy SSL.

Disabling Proxy solves the issue. But I’d like to keep using Proxy mode.

When Proxy mode is enabled all requests work fine when I’m doing them from the same network as the server, behind the same router. I assume because in that case it finds a direct route to the server not through a proxy. But from remote networks anywhere in the world it fails.

On my servers I use Let’s Encrypt certbot to generate certificates. I tried only using --preferred-chain "ISRG Root X1" and without it. But again, I don’t get errors when using my own server without a proxy, so there’s something about CloudFlare’s SSL that breaks API requests from apps.

Openning them in web browser works fine.

Any ideas? What is the correct way of setting up SSL with CloudFlare proxy?

Nginx - certbot - cloudflare proxy

Are you saying the issue is between Cloudflare and your origin server due to your certbot-issued certificate?

If so, then could you try to have Cloudflare generate the origin certificate for you on one of these sites as a test?

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

Hello,

No, I don’t think it’s between Cloudflare and my origin server.

client -> cloudflare proxy enabled -> origin server (Let's encrypt certificate) - shows SSL error on the client.

client -> cloudflare proxy disabled -> origin server (Let's encrypt certificate) - works fine

I tried with Full and Full (Strict) modes. Also web browsers work fine. Only apps (different apps, different developers) and python scripts show errors.

It could just be the recent Let’s Encrypt cert issue. You can switch to a Digicert one with the API:

I’m not sure - what does it do exactly?

It replaces the Let’s Encrypt certificate on the Cloudflare proxy edge server with a certificate from Digicert. Some software has been erroring out because an outdated root cert for Let’s Encrypt expired.

Yes, I know that, had to fix it on my own servers. So Cloudflare uses Let’s encrypt’s certificates as well? I don’t think it was mentioned anywhere in certificate names. Its:

Common name: sni.cloudflaressl.com
Organization: Cloudflare, Inc.
Location: San Francisco, California, US
Valid from June 10, 2021 to June 10, 2022
Issuer: Cloudflare Inc ECC CA-3

Common name: Cloudflare Inc ECC CA-3
Organization: Cloudflare, Inc.
Location: US
Valid from January 27, 2020 to December 31, 2024

Are these still somehow related to Let’s Encrypt?

Ah, not those. If you dig a bit deeper, you’ll see they’re Digicert.

Cloudflare somewhat randomly assigns from LE or Digicert.

Well, these are the ones assigned to my domains. So I guess that won’t help.


I’m kind of afraid to bring this up, to not confuse the thread, because I feel like it’s completely unrelated issue. However with a similar behavior.

I’m running Mattermost server the same way, and I send messages to it using Webhooks through Python. Whenever it goes through Cloudflare proxy I get 403 Forbidden reply from it. Any idea what it might be? I’m not sure where the forbidden comes from, cloudflare or my nginx server.

If I send the same request using curl it works though, through cloudflare proxy.

A 403 should show either in the Firewall log here, or your server log.

Thank you. I think I solved this second issue. I added User-Agent header. The default one server by Python’s requests library is something like python-requests, and I changed it to Mozilla ... one.

Does cloudflare somehow block these assuming those are scrapers or something? Is there a way to disable this protection, if that’s what’s been causing it?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.