CORS worker and self-signed certificates

Hello everyone,

I´d like to request help setting up a worker as CORS proxy. I took the code from the CORS worker template, modified it a bit, so far everything works fine.

The problem is that I also need to use the worker for a site with a self-signed SSL certificate. I get the 526 “Invalid SSL certificate” error when trying to access this site through my worker. Has anybody a sugestion how to deal with this problem? I did a lot of googling already but it seems no one had this issue before. The worker should be called from an android system, so there is no possibility to just add the certificate to the system, because starting with Android N no user certificates could be added as system certificates.

Thanks in advance for answer!

Installing the server’s certificate on the client won’t work since CF itself is a proxy, it will always show a browser-trusted certificate when clients connect.

Does this not happen for your website when not running behind a worker? AFAIK the SSL setting (full vs full strict) is the same both when using fetch in a worker and when just using Cloudflare.

But to recommend a fix, try setting SSL in the TLS tab to Full, non-strict mode and see if it works.

2 Likes

Thanks for the quick reply. I have set SSL to full/non-strict mode, from what I read I have to wait up to 24h now until the new settings take effect, then I can test if this works.

In this case, no, the setting change should take effect within 30 seconds or so – it’s propagated via the same system that we use to distribute worker scripts to datacenters. The 24 hour delay mentioned in the help docs for the SSL/TLS settings refers to new certificate issuance, which isn’t a factor here.

1 Like

Okay, after setting SSL to Full I still have the problem with my CORS worker not being able to access this specific site.

To access the SSL/TLS settings page I had to add a random website since I only have the worker - is this setting now only valid for this site? Or also for the worker?

Is the other site not on Cloudflare at all? I think we might validate origin certificates in that case, even in Full non-strict mode. If it’s on Cloudflare, then I’d expect it to work.

Then this might be the issue, as the other site is not on cloudflare. So I guess there is probably no possibility to get this working.

Unfortunately, I think you’re right. You could see if a CNAME within your zone pointing to the foreign zone helps. I tested that with https://self-signed.badssl.com, and successfully got a response from the origin that way, but it was an origin error, not the expected content.

Okay, still thanks to you for your help.