Do I have this right?

What is the name of the domain?

example.com

What is the issue you’re encountering

Do I have this right?

What steps have you taken to resolve the issue?

Okay, so I’d like to run a webserver behind a CGNAT.
Presently my site has a Let’s Encrypt SSL certificate, and serves HTTPS traffic.
From what I understand, I can configure my server to only serve HTTP, and with no security certificate.
The cloudflared daemon then opens an encrypted tunnel to Cloudflared, and nobody but Cloudflared can see my server’s HTTP traffic.
Cloudflared then create a security certificate for my domain name, and effectively serves my site’s HTTP traffic as HTTPS.
Sound rational?
TIA, M.

Should work, yes. Not the best practice, however Cloudflare allows you to achieve this.

Instead of using LE’s certificate, you can use Cloudflare’s Origin CA certificate, since LE’s certificate renewal would fail behind Cloudflare proxy :orange: .

Do you have SSL on the origin or not? If not, then you’ve got two options to fix a possible issue with this:

  1. Make sure you’ve enabled noTLSVerify option for your public hostname on your configured cloudflared tunne and that your Website is bound to port 443 and “working” even with invalid SSL certificate over HTTPS at your local machine (not the best case) which you can generate yourself.

  1. Generate and install Cloudflare Origin CA certificate onto your Nginx web server on the local machine → Origin CA certificates · Cloudflare SSL/TLS docs (recommended to solve your issues with errors you’re experiencing and to have end-to-end encryption)

Nevertheless, go here https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/configuration. Select Custom and not automatic. Reference, Introducing Automatic SSL/TLS: securing and simplifying origin connectivity. Double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

Wow! I should be paying for such good support.

Thanks, fritex.
M.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.