Error: self signed certificate in HTTPS



I’m trying to use HTTPS in Presto (docs)

I went to Origin Certificates -> Create Certificate and saved both files: cert.pem and cert.key
And downloaded Cloudflare Origin CA — RSA Root to cf_ca.pem

Executed the following commands:

root# PASSWORD=<PASSWORD> openssl pkcs12 -export -out bundle.p12 -in cert.pem -inkey cert.key -passout pass:$PASSWORD
root# keytool -noprompt -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 -srcstorepass $PASSWORD -destkeystore presto.jks -deststoretype JKS -deststorepass $ROOT_PASSWORD
root# printf "$PASSWORD\nyes\n" | keytool -import -v -trustcacerts -alias cf-ca -file cf_ca.pem -keystore presto.jks
root# printf "$PASSWORD\n" | keytool -importkeystore -srckeystore presto.jks -destkeystore presto.jks -deststoretype pkcs12

And used the presto.jks file on presto config.
However, when I connect to presto, it says self-signed certificate.

root# curl -I https://localhost:8899
curl: (60) SSL certificate problem: self signed certificate in certificate chain

How can I solve this issue?



An origin cert is signed by Cloudflare for use as a trusted cert between Cloudflare and your origin. That it returns an error as being self signed when accessed directly by an end user is expected.

curl -Ik https://localhost:8899 will ignore the self signed nature of the cert. However port 8999 isn’t a port Cloudflare proxies.



I see, so I can’t use that certificate for my own HTTPS server (without Cloudflare in the middle), correct?



How do I get a valid signed certificate then? Can it be from Cloudflare?



You’ll need to use an ACME provider like letsencrypt to get a free valid certificate.

1 Like



Cloudflare does not offer certificates to be installed on 3rd party servers directly from our CA partners, you would need to obtain a cert from a CA directly

1 Like