Constant SSL problems between CloudFlare and Nginx

Hello Everyone,

I am having constant problems with Cloudflare and the Nginx server. I see the Cloudflare SSL error screen whenever I try to connect to the site. The Nginx logs show the following:

2024/05/30 19:16:16 [info] 9#9: *1 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443
2024/05/30 19:16:17 [info] 8#8: *2 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

I created the origin certificate from “Domain → SSL/TLS → Origin Server” tab. I enabled the “Full (strict)” under “Domain → SSL/TLS” tab. I also enabled “Domain → SSL/TLS → Origin Server → Authenticated Origin Pulls”.

Below is my config for Nginx SSL:

  ssl_session_cache         shared:SSL:50m;
  ssl_session_timeout       5m;
  ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  ssl_ecdh_curve            secp384r1;
  ssl_dhparam               /etc/ssl/ssl-dhparams.pem;
  ssl_certificate /etc/ssl/cert.pem;
  ssl_certificate_key /etc/ssl/key.pem;

Any ideas what I am doing wrong? Thanks in advance, everyone!

Was it working with just the Cloudflare Origin CA certificate before adding Authenticated Origin Pulls?

No, it was not. Before we moved to Cloudflare, we were using Google domains and certbot/letsencrypt. It was working with the settings from there. We can’t get our staging area to work with Cloudflare before we move other domains to Cloudflare.

But, to answer your question, nothing related to SSL worked since we moved our domain to Cloudflare although the same Nginx config was working with certbot/letsencrypt.

I use Let’s Encrypt and Authenticated Origin Pulls with most of my Cloudflare sites. I find that it can be easier to get the encryption working first without the Cloudflare proxy or Authenticated Origin Pulls enabled.

Once the site is working properly without the proxy (this would naturally exclude considering any unknown issuer warning caused by connecting directly when using a Cloudflare Origin CA certificate), the next step of enabling the proxy with Full (strict) encryption should work without any issue.

When the site is running proxied, adding the Authenticated Origin Pulls should be easier since you are starting from a known working state. It is considerably less difficult to troubleshoot only one thing at a time.

Thanks,

Yeah, I think I would be easier for me to follow the same step by step approach and figure out which step causes the issue.
Thanks for your reply.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.