Cloudflared ignores noTLSVerify option

I’ve been testing out argo tunnel; I had success getting everything working with single ports/services. I’ve been trying to set it up with ingress rules as in this tutorial : https://developers.cloudflare.com/cloudflare-one/tutorials/multi-origin but I keep getting certificate errors trying to connect to my origin servers. I haven’t installed trusted certs on them yet and I know that’s the correct way to do it, but just to get it running I tried putting noTLSVerify in my config.yml file and it doesn’t seem to change anything. I get the same error if I run “cloudflared tunnel --no-tls-verify run docker1” from the command line (not as a service)

Odd, because otherwise it does seem to be following the other elements of the config (port numbers, log location, etc.) Am I missing something here?

OS: Ubuntu Server 20.04 x86_64
Cloudflared version: 2020.12.0

Config.yml:
tunnel: docker1
credentials-file: .json
logfile: /home/elewis/.cloudflared/cloudflared.log
ingress:
- hostname:
service: https://localhost:9090
noTLSVerify: true
- service: http_status:404

Log output:

[2021-01-01T16:49:49.87797023-07:00]: Starting tunnel
[2021-01-01T16:49:49.879402774-07:00]: Version 2020.12.0
[2021-01-01T16:49:49.879424141-07:00]: GOOS: linux, GOVersion: go1.15.6, GoArch: amd64
[2021-01-01T16:49:49.879492373-07:00]: Environment variables map[cred-file:/home/elewis/.cloudflared/.json credentials-file:/home/elewis/.cloudflared/.json proxy-dns-upstream:https://1.1.1.1/dns-query, https://1.0.0.1/dns-query]
[2021-01-01T16:49:49.879858272-07:00]: Autoupdate frequency is set to 24h0m0s
[2021-01-01T16:49:49.880414564-07:00]: Initial protocol h2mux
[2021-01-01T16:49:49.893031791-07:00]: Starting metrics server on 127.0.0.1:39171/metrics
[2021-01-01T16:49:50.505407447-07:00]: Connection 0 registered with SJC using ID
[2021-01-01T16:49:50.826283882-07:00]: Connection 1 registered with LAX using ID
[2021-01-01T16:49:52.002650594-07:00]: Connection 2 registered with SJC using ID
[2021-01-01T16:49:52.852401651-07:00]: Connection 3 registered with LAX using ID
[2021-01-01T16:52:36.302578839-07:00]: CF-RAY: -SEA Proxying to ingress 0 error: Error proxying request to origin: x509: certificate signed by unknown authority
[2021-01-01T16:52:37.454566905-07:00]: CF-RAY: -SEA Proxying to ingress 0 error: Error proxying request to origin: x509: certificate signed by unknown authority

Can you try no-tls-verify: true?

I get the same result after changing the config to “no-tls-verify: true” and restarting the service.

Can you place no-tls-verify: true: before the ingress parameter?

I was rereading the documentation and I think I may have figured it out. I think with the new ingress rules syntax, noTLSVerify has to be nested inside a originRequest: stanza. I changed my config.yml to the following and it appears to work now:

 tunnel: docker1
 credentials-file: /home/elewis/.cloudflared/redacted.json
 logfile: /home/elewis/.cloudflared/cloudflared.log
 ingress:
  - hostname: redacted
    service: https://localhost:9090
    originRequest:
      connectTimeout: 10s
      noTLSVerify: true
  - service: http_status:404
3 Likes

Thanks for sharing. I haven’t try the new ingress rule though. Hope this can help other people.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.