Getting 400 Bad Request(No required SSL certificate was sent) | Using Nginx and Cloudflare Authenticated Origin Pulls


#1

I keep getting the 400 bad request (No required ssl certificate was sent) when trying to access my site.
Im using Nginx and Cloudflare Authenticated Origin Pulls. I have this setup with 4 different websites on a vps, it works for 3 of the sites but doesn’t seem to work for the 4th one, though i have set it up in the exact same manner.

Here is my Nginx Configuration:

server {
	listen 80;
	listen [::]:80;
	server_name domain.ext www.domain.ext;
	return 302 https://$server_name$request_uri;
}

server {

	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	ssl	on;
	ssl_certificate		/etc/ssl/certs/domain.ext.cert.pem;
	ssl_certificate_key	/etc/ssl/private/domain.ext.key.pem;
	ssl_client_certificate	/etc/ssl/certs/cloudflare.crt;
	ssl_verify_client on;

	root /var/www/domain.ext/html;

	index index.php index.html index.htm index.nginx-debian.html;

	server_name domain.ext www.domain.ext;

	location / {
		try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
	    include snippets/fastcgi-php.conf;
	    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	    include fastcgi_params;
	}
}

I have Authenticated Origin Pulls enabled in the Cloudflare dashboard and SSL set to Full(Strict).
I am using a Cloudflare CA Origin Certificate.


#2

So the issue is the client authentication, right? If you switch off ssl_verify_client requests go through?!


#3

Yea they do but then, i cannot use https.


#4

I am not sure what that is supposed to mean. If HTTPS does not work client authentication naturally wont work either. You first need HTTPS to get working.

Can you post the URL?


#5

fakezane.net


#6

Well, HTTPS seems to work in your case.


#7

Uh, nevermind that, https seems to work. But still cant figure out why its not receiving the certificate from cloudflare when enabled.


#8

So I guess ssl_verify_client is currently off, right? Once you turn it on however it fails because the required certificate is not sent along, correct?


#9

Correct


#10

And the certificate specified at ssl_verify_client is the one from https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/#certificate and loads fine as far as log outputs are concerned?

In that case I’d open a support ticket.


#11

Ok, thank you.