Error 526 even though I've used Cloudflare Origin Certificates

dave.fethiye · May 4, 2022, 2:19pm

Hi,
I have spend some hours on this reading stuff, and so far I can not see why I am still getting this error

I have a domain “good-health.ml” and I want to have sub-domains on it.

I have a dedicated server running ubuntu 20.04
and I’m using apache server
with Public IP address: 5.101.140.50

I have created an origin certificate and Private key on CF
Then I copied them into files on the etc/cf_keys directory
/etc/cf_keys/good-health-ml/cf_origin_cert.pem
/etc/cf_keys/good-health-ml/cf_priv_key.pem

I did this with root - do I need to chown or chmod these files ?

Then I created the VirtualHost

<VirtualHost *:443>       
        ServerName good-health.ml
        ServerAlias *.good-health.ml

        DocumentRoot /var/www/good-health.ml

        <Directory "/var/www/good-health.ml">
             AllowOverride All
        </Directory>

	SSLEngine on
	SSLCertificateFile "/etc/cf_keys/good-health-ml/cf_origin_cert.pem"
    	SSLCertificateKeyFile "/etc/cf_keys/good-health-ml/cf_priv_key.pem"

        ErrorLog ${APACHE_LOG_DIR}/error.log
    	CustomLog ${APACHE_LOG_DIR}/access.log combined

	Header always set Strict-Transport-Security "max-age=31536000"
	SSLUseStapling on
	Header always set Content-Security-Policy upgrade-insecure-requestscd 
</VirtualHost>

and I ran systemctl restart apache2

From my windows pc this is the Tracer route with Cloudflare “PAUSED”

Tracing route to good-health.ml [5.101.140.50]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms routerlogin.net [192.168.0.1]
2 * * * Request timed out.
3 13 ms 8 ms 8 ms hari-core-2b-ae47-0.network.virginmedia.net [81.97.255.29]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 18 ms 18 ms 17 ms telw-ic-4-ae0-0.network.virginmedia.net [62.254.84.70]
8 18 ms 19 ms 18 ms m498-mp2.cvx3-a.ltn.dial.ntli.net [213.104.85.242]
9 20 ms 20 ms 18 ms xe-0-0-1-to-THE.bsd.as42831.net [78.157.212.186]
10 21 ms 19 ms 18 ms no.rdns.ukservers.com [5.101.140.50]

Trace complete.

From my windows pc this is the Tracer route with Cloudflare “ON”

Tracing route to good-health.ml [172.67.193.33] <<— Notice it has a CF address now
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms routerlogin.net [192.168.0.1]
2 * * * Request timed out.
3 8 ms 11 ms 8 ms hari-core-2b-ae47-0.network.virginmedia.net [81.97.255.29]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 16 ms 19 ms 16 ms tcma-ic-2-ae9-0.network.virginmedia.net [62.253.174.178]
9 17 ms 16 ms 15 ms 162.158.32.254
10 21 ms 24 ms 16 ms 162.158.32.11
11 16 ms 15 ms 15 ms 172.67.193.33

Trace complete.
See these images:

Why does the address resolve to a Cloudflare address and not mine ( 5.101.140.50 ) ?

Hope someone can help

KianNH · May 4, 2022, 2:25pm

If you unproxy the record, what certificate are you presented with?

Going to the IP directly gives me a certificate for botx10.com and hitting it with cURL gives me an expired certificate warning.

➜  ~ curl https://good-health.ml --resolve good-health.ml:443:5.101.140.50  
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

dave.fethiye · May 4, 2022, 2:39pm

Thanks
I just ran same command

curl: (60) SSL certificate problem: certificate has expired

So - how do I “unproxy the record” ?

dave.fethiye · May 4, 2022, 2:45pm

Maybe I should just Revoke the Origin Certificate on Cloudflare and create a new one ?

Any thoughts ?

KianNH · May 4, 2022, 3:08pm

In DNS, edit the record and make it DNS Only/grey cloud.

michael · May 4, 2022, 3:39pm

Probably will not help. The Origin server that is being connected to does not present the correct certificate.

% openssl s_client -showcerts -servername good-health.ml -connect 5.101.140.50:443 -quiet </dev/null

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = bot10x.com
verify error:num=10:certificate has expired
notAfter=Feb 19 08:57:24 2022 GMT
verify return:1
depth=0 CN = bot10x.com
notAfter=Feb 19 08:57:24 2022 GMT
verify return:1

Best guess is that either you have the wrong IP address, or perhaps you forgot to apachectl -k graceful after modifying the config.

dave.fethiye · May 4, 2022, 3:40pm

OK done that.

In the browser I get this:

When I do the curl, I get this result:

curl: (60) SSL certificate problem: certificate has expired

and from my pc I get:

C:\Users\David>tracert good-health.ml

Tracing route to good-health.ml [5.101.140.50]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms routerlogin.net [192.168.0.1]
2 * * * Request timed out.
3 11 ms 9 ms 8 ms hari-core-2b-ae47-0.network.virginmedia.net [81.97.255.29]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 18 ms 18 ms 18 ms telw-ic-4-ae0-0.network.virginmedia.net [62.254.84.70]
8 19 ms 18 ms 18 ms m498-mp2.cvx3-a.ltn.dial.ntli.net [213.104.85.242]
9 19 ms 22 ms 18 ms xe-0-0-1-to-THE.bsd.as42831.net [78.157.212.186]
10 19 ms 18 ms 21 ms no.rdns.ukservers.com [5.101.140.50]

Trace complete.

dave.fethiye · May 4, 2022, 3:44pm

That other domain “bot10x.com” is also on my server.

It is the first one ( alphabetically )

[email protected]:/etc/apache2/sites-available# ls -al
total 116
drwxr-xr-x 2 root root 4096 May 4 15:20 .
drwxr-xr-x 8 root root 4096 May 4 15:20 …
-rw-r–r-- 1 root root 426 Dec 8 10:39 bot10x.com.conf
-rw-r–r-- 1 root root 833 Dec 8 20:06 bot10x.com-le-ssl.conf
-rw-r–r-- 1 root root 472 Nov 16 08:45 chitchatmedia.net.conf
-rw-r–r-- 1 root root 513 Nov 21 09:59 chitchatmedia.net-le-ssl.conf
-rw-r–r-- 1 root root 442 Nov 17 17:10 cybxpert.com.conf
-rw-r–r-- 1 root root 483 Nov 21 09:59 cybxpert.com-le-ssl.conf
-rw-r–r-- 1 root root 6338 Apr 13 2020 default-ssl.conf
-rw-r–r-- 1 root root 484 Nov 17 17:12 expressresponse.net.conf
-rw-r–r-- 1 root root 525 Nov 21 10:03 expressresponse.net-le-ssl.conf
-rw-r–r-- 1 root root 542 Dec 8 10:39 gldn.page.conf
-rw-r–r-- 1 root root 834 Dec 8 20:07 gldn.page-le-ssl.conf
-rw-r–r-- 1 root root 667 May 4 12:47 good-health.ml-cf-ssl.conf
-rw-r–r-- 1 root root 397 May 4 13:44 good-health.ml.conf
-rw-r–r-- 1 root root 418 Nov 21 14:48 igw.news.conf
-rw-r–r-- 1 root root 459 Nov 21 14:46 igw.news-le-ssl.conf
-rw-r–r-- 1 root root 437 Nov 17 17:16 pdg.reviews.conf
-rw-r–r-- 1 root root 478 Nov 21 10:06 pdg.reviews-le-ssl.conf
-rw-r–r-- 1 root root 489 May 3 16:28 refugee-support.org.conf
-rw-r–r-- 1 root root 449 Nov 17 17:16 reviewed.page.conf
-rw-r–r-- 1 root root 497 Nov 21 15:08 reviewed.page-le-ssl.conf
-rw-r–r-- 1 root root 442 Nov 21 10:07 smartbiz.pro.conf
-rw-r–r-- 1 root root 483 Nov 21 10:07 smartbiz.pro-le-ssl.conf
-rw-r–r-- 1 root root 430 Nov 17 17:17 ukncsa.com.conf
-rw-r–r-- 1 root root 471 Nov 21 10:08 ukncsa.com-le-ssl.conf
-rw-r–r-- 1 root root 412 Nov 23 14:04 yel.page.conf
-rw-r–r-- 1 root root 760 Nov 23 13:59 yel.page-le-ssl.conf
[email protected]:/etc/apache2/sites-available#

I was using Lets-encrypt but when I saw the option from Cloudflare for origin Certs I am trying to replace the Lets-Encrypt certs with Cloudflare.

good-health.ml is a new domain that I haven’t used with Lets-encryp

You are correct I didn’t run apachectl -k graceful

I just ran systemctl restart apache2

michael · May 4, 2022, 3:54pm

This is not really a Cloudflare issue. Your webserver is not responding to requests for the hostname. You need to resolve that before Cloudflare will be able to reach your webserver.

Check the error logs (typically /var/log/apache2/error.log on Ubuntu), or try a forum better suited to the issue, such as https://webmasters.stackexchange.com.

dave.fethiye · May 5, 2022, 12:59pm

I have set up a new domain on the same server with NO certificate on the server,

So just the basic port 80 configuration

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName hurtaid.org
    ServerAlias www.hurtaid.org
    DocumentRoot /var/www/hurtaid.org

    <Directory /var/www/budgets.net>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/eror.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

This site it is running through Cloudflare

In the browser hurtaid.org shows up as “Not Secure” .

Is that normal ?

Cert11

KianNH · May 5, 2022, 1:06pm

Yes, since you’re accessing it over http:// - load it over https:// and it shows a valid certificate.

I would highly recommend not using Flexible and instead making sure you get the origin certificate up and running on your server - Flexible is inherently insecure as the traffic between Cloudflare and your server is sent unencrypted.

dave.fethiye · May 5, 2022, 1:49pm

Yes, that is exactly what I want to do.

I assume that if I go and create an origin certificate in Cloudflare, then
I don’t need to have Let’s Encrypt cert, correct ?

( Just checking, as that is my next step )

Thanks for helping.#

mcfadyeni · May 5, 2022, 2:16pm

Not nessesarily.

You’ll need to create (from the dashboard) and attach an origin certificate to your server. Then enable Proxy in Cloudflare (orange-cloud). Cloudflare will automatically handle the certificate for you. Once you’ve added the origin certificate make sure your SSL mode is set to Full (Strict).

So the steps:

Create origin certificate from dashboard.
Add to your server.
Enable proxy (orange-cloud).
Set SSL mode to Full (Strict). If your origin certificate is installed correctly, Cloudflare will automatically handle SSL.

dave.fethiye · May 5, 2022, 2:53pm

Thanks,

So I have Created the Origin Certificate and Private Key.

When you say “Add them to the server”
Do you mean I should:

save the origin certificate as a .pem file
and save the private key as a .pem file

I will save them in
/etc/cf_keys/hurtaid-org/cf_origin_cert.pem
/etc/cf_keys/hurtaid-org/cf_private_key.pem

I am creating these with “root” - do I need to chown them at all ?
Or change the access with chmod ?

build the <VirtualHost *:443> block for hurtaid.org like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin [email protected]       
        ServerName hurtaid.org
        ServerAlias www.hurtaid.org

        DocumentRoot /var/www/hurtaid.org

        <Directory "/var/www/hurtaid.org">
             AllowOverride All
        </Directory>

	SSLEngine on
	SSLCertificateFile "/etc/cf_keys/hurtaid-org/cf_origin_cert.pem"
    	SSLCertificateKeyFile "/etc/cf_keys/hurtaid-org/cf_priv_key.pem"

        ErrorLog ${APACHE_LOG_DIR}/error.log
    	CustomLog ${APACHE_LOG_DIR}/access.log combined

	Header always set Strict-Transport-Security "max-age=31536000"
	SSLUseStapling on
	Header always set Content-Security-Policy upgrade-insecure-requestscd 
</VirtualHost>
</IfModule mod_ssl.c>

Run “service apache2 reload”

and then

Enable proxy (orange-cloud).
Set SSL mode to Full (Strict). If your origin certificate is installed correctly, Cloudflare will automatically handle SSL.

Is that about correct?

mcfadyeni · May 5, 2022, 3:06pm

Indeed, that sounds about correct.

However you’ll want to regenerate the origin cert. Get a new one, don’t use the one you sent here because the private key should never be publicly visible anywhere.

dave.fethiye · May 5, 2022, 4:03pm

I don’t believe it !!

Again, as soon as I switch over to Full (Strict) I get the
Error 526 again !

When I do the openssl I get this …

# openssl s_client -showcerts -servername hurtaid.org -connect 5.101.140.50:443 -quiet </dev/null
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = gldn.page
verify error:num=10:certificate has expired
notAfter=Feb 19 18:18:14 2022 GMT
verify return:1
depth=0 CN = gldn.page
notAfter=Feb 19 18:18:14 2022 GMT
verify return:1
[email protected]:/etc/apache2/sites-available#

I deleted the bot10x.com Let’s Encrypt cert, now it’s finding the “gldn.page” domain cert !!!

Does this “Full (Strict)” actually work with CloudFlares’ origin certificates ?
I am having my doubts.

The file permissions look like this:

Cert19

KianNH · May 5, 2022, 4:10pm

None of the certificates in your openssl s_client are origin certificates - so this isn’t an issue with Full (Strict).

You need your website to be presenting the origin certificate - if Cloudflare doesn’t see that, a 526 error is fully expected.

Try following Cloudflare Origin SSL Certificate Setup Guide - Yo Motherboard

dave.fethiye · May 5, 2022, 4:28pm

That “verify error:num=10:certificate has expired” is for gldn.page
not for the origin cert I have placed on the server in the path specified in the
<VirtualHost *:443> block.

I am going to DELETE all the Let’s Encrypt certs and all references to them

Let’s see what that does !!

dave.fethiye · May 5, 2022, 5:31pm

Thanks for the link to the docs.

According to “Yo-Motherboard”

“This step is apparently optional but I could not get it to work without having the root certificate installed so you will need to [download the Cloudflare root certificate from this link”

So it looks like I need to download the root certificate?

Why is there No mention of this on the Dashboard then ?
It just says “requires a trusted CA or Cloudflare Origin CA certificate on the server”
Nothing about needing s Root Certificate

This is under the WARP section
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert

Well, I have followed this …

Debian / Ubuntu

Download both the .crt certificate and the .pem certificate
Copy both certificates to the user store.
/usr/share/ca-certificates
Import the certificate
dpkg-reconfigure ca-certificates

I also copied the .pem file to my “/etc/cf_keys/hurtaid-org/”

and updated the <VirtualHost *:443> block to read …

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin [email protected]       
        ServerName hurtaid.org
        ServerAlias www.hurtaid.org

        DocumentRoot /var/www/hurtaid.org

        <Directory "/var/www/hurtaid.org">
	     vi Options -Indexes +FollowSymLinks
             AllowOverride All
        </Directory>

	SSLEngine on
        SSLCertificateFile "/etc/cf_keys/hurtaid-org/cf_origin_cert.pem"
        SSLCertificateKeyFile "/etc/cf_keys/hurtaid-org/cf_private_key.pem"
        SSLCertificateChainFile "/etc/cf_keys/hurtaid-org/cf_root_cert.pem"


        ErrorLog ${APACHE_LOG_DIR}/error.log
    	CustomLog ${APACHE_LOG_DIR}/access.log combined

	Header always set Strict-Transport-Security "max-age=31536000"
	SSLUseStapling on
	Header always set Content-Security-Policy upgrade-insecure-requestscd 
</VirtualHost>
</IfModule>

I am now going to run:
systemctl restart apache2

michael · May 5, 2022, 5:41pm

In this case “requires” is from the perspective of the Cloudflare servers. They will trust a certificate issued by a publicly trusted CA, or from their own CA. Cloudflare do not need you to present the root certificate to them when they connect to your Origin, when you show them the Origin cert they will know that they issued it, and that they trust it.

There are some services that do not like to install a bare leaf certificate, and in those cases you need to install the root. But I’m pretty sure Apache does not care.