[FIXED] Cloudflare certifcate seen as NET::ERR_CERT_AUTHORITY_INVALID

user3732 · July 22, 2020, 8:25am

I use Nginx Reverse Proxy docker container with setting to point to another container at 172.17.0.3:8080

It works fine locally,
Cloudflare is setup as usual to point to the IP, not enforce SSL (just for tests), 80 and 443 are open and I can reach the machine using the subdomain.
But when reaching the subdomain, I get an unusual error:

Your connection is not private
...
NET::ERR_CERT_AUTHORITY_INVALID
Subject: CloudFlare Origin Certificate

Issuer: CloudFlare, Inc.

Expires on: Apr 13, 2035

Current date: Jul 21, 2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MI..

It sees the certificate but claims it’s invalid.

I agree the cert is not on the final server but on the reverse proxy server, but that’s the goal of it right?
And frankly, I don’t know how to add a cert to a Tomcat server on a container.
Any idea?

sandro · July 22, 2020, 8:28am

Because it is (for a browser at least). Either the DNS record is not proxied or you have a propagation issue.

In the former case switch it to , in the latter case simply wait until your resolver updated the record on its side.

user3732 · July 21, 2020, 7:32pm

Thank you @sandro
Weird, I tried without and with Cloudflare DNS proxy.
You’re right, now I get a 502 bad gateway. The valid certificate is not mine but the cloudflare DNS service one (valid until October 2020).

And there are no logs on the nginx proxy container (connect is not available with https://github.com/jc21/nginx-proxy-manager?utm_source=nginx-proxy-manager)

Do you have an idea?

sandro · July 21, 2020, 7:33pm

What’s the domain?
Make sure you have the right IP address configured on Cloudflare.
If you feel comfortable with it, share the address here.

user3732 · July 21, 2020, 7:38pm

Sorry, domain is private for now. We’re a non-profit org with limited security skills (mine).
Yeah, I can reach the IP with http for testing purpose.
But once I switch to https, I get ERR_HTTP2_PROTOCOL_ERROR
And the certificate is nginx localhost, because I didn’t add a route for the IP (I can’t since it wants a (syb)domain)

sandro · July 21, 2020, 7:37pm

We are mixing now a lot of things here. If the domain is proxied you should not get the error you mentioned.

The protocol error is a completely different issue and if I remember correctly there were issues when you sent invalid HTTP headers, which then break HTTP 2. I would suggest you use the search here as there were several threads about that.

user3732 · July 21, 2020, 7:46pm

Let’s drop the IP test. It’s not relevant.
All my previous deployments using cloudflare and SSL on containers went fine when I added the cert to the final server/container.

Now, there are 2 changes from previous working setups:

Our IP4 address is almost static", it was a long one a few weeks ago (4*3, 12 digits) but now we have a small one (5 digits). Maybe not related.
Nginx reverse proxy is added in the loop.

I use Nginx Proxy Manager because UI is nice to add and change routes. But maybe it’s not working well.

If you know another solution for reverse proxy with a full UI to add routes, please let me know.

sandro · July 22, 2020, 8:29am

Nginx is somewhat off-topic here I am afraid.

What I would suggest at this point is you pause Cloudflare, install a Lets Encrypt certificate instead of an Origin certificate (otherwise you will always have the warning), and first get the site to work properly on HTTPS without the proxies. Only once that is working you should unpause Cloudflare.

user3732 · July 21, 2020, 7:55pm

This is wise.

Side note: While you were writing, I switched off and on some SSL settings in cloudflare:

Automatic HTTPS Rewrites
TLS 1.3
Opportunistic Encryption
Always Use HTTPS

Now it’s back to previous settings, but error is now: ERR_TOO_MANY_REDIRECTS

And I also tested to disable the proxy host and the https worked directly by throwing Nginx server HTTP version (“Congratulations, …”)
Maybe I’m wrong, but it looks like 2 different problems (cloudflare settings, maybe cache invovled, and Nginx) are mixing things up.

sandro · July 21, 2020, 7:57pm

What’s your encryption status? It should be Full strict.

But I’d really take Cloudflare out of the equation at this point. First fix the server issues, once that works activate Cloudflare and it should work.

user3732 · July 21, 2020, 8:01pm

Alright.
DNS only + flexible SSL + letsencrypt cert + flushed cookies: ERR_TOO_MANY_REDIRECTS

sandro · July 21, 2020, 8:04pm

Never always Full strict. Flexible is just as insecure as HTTP.

But anyhow, with DNS only none of the Cloudflare settings matter as the connection is direct.

Keep it that way and fix the server first. Then enable Cloudflare.

user3732 · July 21, 2020, 8:05pm

Goinf full or full strcit results in 502 bad gateway

sandro · July 21, 2020, 8:06pm

At this point these settings do not matter anymore as you are not going via Cloudflare. Maybe you still have the old IP address and need to wait for DNS propagation.

user3732 · July 21, 2020, 8:12pm

I changed IP address 2 hours ago and cloudflare is my DNS (using PI-Hole as local DNS for filtering).
Now getting Error 504 gateway time-out

sandro · July 21, 2020, 8:12pm

DNS for sure, but if it is DNS only Cloudflare does not proxy and hence all requests go to your server.

At this point this really is a server-only issue I am afraid.

user3732 · July 21, 2020, 8:15pm

A Nginx Proxy Manager issue I think.
I can reach the server using my domain name on http with specific port.
Do you know a “visual alternative” to Nginx Proxy Manager? A container of a kind of “webmin” for routing and taking care of SSL?

sandro · July 21, 2020, 8:16pm

I am afraid server administration topics are rather off-topic here. For that I would recommend StackExchange.

user3732 · July 21, 2020, 8:17pm

Haha, “this question is too broad” reply 99% of the time.

sandro · July 21, 2020, 8:17pm

I can only reiterate this