Help Needed with Per-Hostname Authenticated Origin Pulls on Pro Plan

Hi everyone,

I’m currently working on setting up per-hostname authenticated origin pulls on my Cloudflare Pro plan and have hit a snag. I’ve been following the guide for implementing authenticated origin pulls, which involves uploading a custom certificate to Cloudflare.

Issue Encountered: After creating a certificate as per the instructions, I attempted to upload it using the Cloudflare API:

curl -sX POST https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \ -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \ -H "Content-Type: application/json" -d "$request_body"

However, I received the following error response:
{“success”:false,“errors”:[{“code”:1011,“message”:“Plan level does not allow custom certificates with type legacy_custom”}],“messages”:,“result”:null}

Questions and Clarifications Needed:

  1. Plan Level Requirements: Is there a specific plan level requirement for uploading custom certificates that I might have missed? My current plan is Pro, or i can use not costume certificates ?
  2. Feature Availability on Pro Plan: Is the ‘Per-hostname authenticated origin pulls’ feature available and fully functional on the Pro plan?
  3. Possible Workarounds: If this feature is indeed limited by plan level, are there any alternative methods or workarounds that can be used to achieve similar functionality on the Pro plan?
  4. Advice on Error Message: Can anyone provide insights into the error message I received, particularly regarding the ‘legacy_custom’ type?

I would greatly appreciate any guidance or advice on how to proceed with setting up authenticated origin pulls under these circumstances.

Thank you in advance for your help!

You are barking up the wrong tree here :smile:

You are using the wrong HTTP path here, as this is for uploading custom server certificates, not client certificates. You want to follow Per-hostname authenticated origin pulls · Cloudflare SSL/TLS docs

And yes, the feature is available on all plans - Authenticated Origin Pulls (mTLS) · Cloudflare SSL/TLS docs

1 Like

i followed this guide:
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/

and this:
https://developers.cloudflare.com/api/operations/per-hostname-authenticated-origin-pull-upload-a-hostname-client-certificate

That is not what you are using in your call

ohhhh i see … my bad…
so the pro plan does allow me to use a Self-Signed Certificate

“success”:false,“errors”:[{“code”:1412,“message”:“Missing leaf certificate.”}],“messages”:}
keep getting this error… tried in many ways to put the certificate and the key but nothing seems working

The message seems to be clear. Did you upload the entire chain of certificates?

I am doing the following:
openssl genpkey -algorithm RSA -out rsa_private_pkcs1.key -pkeyopt rsa_keygen_bits:2048

openssl req -x509 -new -key rsa_private_pkcs1.key -sha256 -days 365 -out rsa_certificate.crt -subj "/CN=." -addext "subjectAltName=DNS:
and then with this i transfer them to oneline:
awk ‘NF {sub(/\r/, “”); printf “%s\n”,$0;}’

and then the api request …
i am missing something ?

Post the exact command you are running but redact private_key and the authentication credentials.

curl --request POST
–url https://api.cloudflare.com/client/v4/zones/***************************/origin_tls_client_auth/hostnames/certificates \
–header ‘Content-Type: application/json’
–header ‘X-Auth-Email: *********
–header 'X-Auth-Key: *********************** ’
–data '{
“certificate”: "
",
“private_key”: "
"
}’

If this is across different lines you need to escape the new-lines with \.

Also, because you redacted the certificate, I cannot verify if that is valid.

here is the certificate: ( i will generate a new one)
“certificate”: “-----BEGIN CERTIFICATE-----\nMIIDOjCCAiKgAwIBAgIUe16dirmZ8raNmFDLpPVMKw4cG9QwDQYJKoZIhvcNAQEL\nBQAwHTEbMBkGA1UEAwwSdGVzdC5lemNvdW50LmNvLmlsMB4XDTI0MDEwNzA5MTM0\nMVoXDTI1MDEwNjA5MTM0MVowHTEbMBkGA1UEAwwSdGVzdC5lemNvdW50LmNvLmls\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpVdV8fgJdSyAV0bhnFx\n+UmAXqIfkIoDziQkxCnkT6alcrkgDgueNwjpgqKzJV5Us1vgfSJqz85BsIX/Ntn3\n7eUyjewy9+fwdtNZd9nC4oU+1Mx6QuGZFfxJcsfugoWm0FSucZBmElxG1PYS4RlQ\n8+Ffm9frM5ncHM/PHxkN2AoyGBscY1YFqAh3EdzzmdcyGzOKfk49tW4WN7t4WyqW\nI7GZgle2Qsn4QfQN18CwCyEIwjwRCUHOgabtFBaJ329iDozWavthJaqcBMgOeTtV\n6ilsKzruwChOl9NcqoiuFtKCXIgegY5MMlXjdqY4K7QsVsawo2nnzXH01++k9gsl\nnQIDAQABo3IwcDAdBgNVHQ4EFgQUYuiz9wOY7EN2e0rs5LxMSX612zswHwYDVR0j\nBBgwFoAUYuiz9wOY7EN2e0rs5LxMSX612zswDwYDVR0TAQH/BAUwAwEB/zAdBgNV\nHREEFjAUghJ0ZXN0LmV6Y291bnQuY28uaWwwDQYJKoZIhvcNAQELBQADggEBAADd\njPj9lS1jbqypvJeUlrrXrUgCqtY83UW0OWvyXUvxzx1QBHAxrLOYWFnFDC23QJAJ\nEPkCZZXFzbUqvPWcrAIrxVQbESi2+zWhGblT3Rvjg9rnurTMsxw1+esFLn7GrIMJ\nIYPEy/p3RySPZ4O1HsaFMtSbmHj86r+mcNo2dF+EftDU1ao3v58IHYNtjkHi28Hq\nVNO4OfV0yMPK8+UTHzMP1RX/IPONNgLC3nLcCcEPCG1y8psUkUP+roaDXxQU15hw\nqsssJZxSBpOpm7Jp6+pqosqb5IGPuHST92qvWrlUJ0ceVkTZ/GGljzv02RWeVSg8\ns6X5da0FSJMykLi4k6w=\n-----END CERTIFICATE-----\n”,

The certificate is public anyhow, so you don’t necessarily need to use a new one, but you certainly can if your prefer.

The certificate looks all right and my assumption would be your bash syntax is not right and curl does not read the data argument, which is why Cloudflare does not get the certificate.

Maybe post a screenshot and simply make sure to redact in it the private key and authentication credentials.

You can also run curl with -v to get more debug output, though we’d be crossing now into an off-topic area for the forum here.

Did you sign the certificate with a CA?

no… but does it matter ? it only for testing

Where’s the screenshot?

That looks generally all right. As mentioned, you can debug the curl call, but I would assume that should actually also work.

As this is a self-signed certificate, it’s automatically also a root certificate. Maybe that is the issue and Cloudflare only recognises it as root certificate and is (falsely) missing the identity certificate. That’s just a guess for now, but maybe try to create a second certificate and sign it with this certificate here and then upload the new certificate instead.

yes, it shloud be signed…thats solved the problem