[FIXED] Cloudflare certifcate seen as NET::ERR_CERT_AUTHORITY_INVALID

I use Nginx Reverse Proxy docker container with setting to point to another container at

It works fine locally,
Cloudflare is setup as usual to point to the IP, not enforce SSL (just for tests), 80 and 443 are open and I can reach the machine using the subdomain.
But when reaching the subdomain, I get an unusual error:

Your connection is not private
Subject: CloudFlare Origin Certificate

Issuer: CloudFlare, Inc.

Expires on: Apr 13, 2035

Current date: Jul 21, 2020

PEM encoded chain:

It sees the certificate but claims it’s invalid.

I agree the cert is not on the final server but on the reverse proxy server, but that’s the goal of it right?
And frankly, I don’t know how to add a cert to a Tomcat server on a container.
Any idea?

Because it is (for a browser at least). Either the DNS record is not proxied or you have a propagation issue.

In the former case switch it to :orange:, in the latter case simply wait until your resolver updated the record on its side.

Thank you @sandro
Weird, I tried without and with Cloudflare DNS proxy.
You’re right, now I get a 502 bad gateway. The valid certificate is not mine but the cloudflare DNS service one (valid until October 2020).

And there are no logs on the nginx proxy container (connect is not available with https://github.com/jc21/nginx-proxy-manager?utm_source=nginx-proxy-manager)

Do you have an idea?

  • What’s the domain?
  • Make sure you have the right IP address configured on Cloudflare.
  • If you feel comfortable with it, share the address here.

Sorry, domain is private for now. We’re a non-profit org with limited security skills (mine).
Yeah, I can reach the IP with http for testing purpose.
But once I switch to https, I get ERR_HTTP2_PROTOCOL_ERROR
And the certificate is nginx localhost, because I didn’t add a route for the IP (I can’t since it wants a (syb)domain)

We are mixing now a lot of things here. If the domain is proxied you should not get the error you mentioned.

The protocol error is a completely different issue and if I remember correctly there were issues when you sent invalid HTTP headers, which then break HTTP 2. I would suggest you use the search here as there were several threads about that.

Let’s drop the IP test. It’s not relevant.
All my previous deployments using cloudflare and SSL on containers went fine when I added the cert to the final server/container.

Now, there are 2 changes from previous working setups:

  • Our IP4 address is almost static", it was a long one a few weeks ago (4*3, 12 digits) but now we have a small one (5 digits). Maybe not related.
  • Nginx reverse proxy is added in the loop.

I use Nginx Proxy Manager because UI is nice to add and change routes. But maybe it’s not working well.

If you know another solution for reverse proxy with a full UI to add routes, please let me know.

Nginx is somewhat off-topic here I am afraid.

What I would suggest at this point is you pause Cloudflare, install a Lets Encrypt certificate instead of an Origin certificate (otherwise you will always have the warning), and first get the site to work properly on HTTPS without the proxies. Only once that is working you should unpause Cloudflare.

This is wise.

Side note: While you were writing, I switched off and on some SSL settings in cloudflare:

  • Automatic HTTPS Rewrites
  • TLS 1.3
  • Opportunistic Encryption
  • Always Use HTTPS

Now it’s back to previous settings, but error is now: ERR_TOO_MANY_REDIRECTS

And I also tested to disable the proxy host and the https worked directly by throwing Nginx server HTTP version (“Congratulations, …”)
Maybe I’m wrong, but it looks like 2 different problems (cloudflare settings, maybe cache invovled, and Nginx) are mixing things up.

What’s your encryption status? It should be Full strict.

But I’d really take Cloudflare out of the equation at this point. First fix the server issues, once that works activate Cloudflare and it should work.

DNS only + flexible SSL + letsencrypt cert + flushed cookies: ERR_TOO_MANY_REDIRECTS

Never :slight_smile: always Full strict. Flexible is just as insecure as HTTP.

But anyhow, with DNS only none of the Cloudflare settings matter as the connection is direct.

Keep it that way and fix the server first. Then enable Cloudflare.

Goinf full or full strcit results in 502 bad gateway

At this point these settings do not matter anymore as you are not going via Cloudflare. Maybe you still have the old IP address and need to wait for DNS propagation.

I changed IP address 2 hours ago and cloudflare is my DNS (using PI-Hole as local DNS for filtering).
Now getting Error 504 gateway time-out

DNS for sure, but if it is DNS only Cloudflare does not proxy and hence all requests go to your server.

At this point this really is a server-only issue I am afraid.

A Nginx Proxy Manager issue I think.
I can reach the server using my domain name on http with specific port.
Do you know a “visual alternative” to Nginx Proxy Manager? A container of a kind of “webmin” for routing and taking care of SSL?

I am afraid server administration topics are rather off-topic here. For that I would recommend StackExchange.

Haha, “this question is too broad” reply 99% of the time.

I can only reiterate this :slight_smile: