How to solve 520 while setting up for Nginx and cloudflare original CA?

phyae · March 24, 2023, 3:28pm

I am now setting up the nginx using the original server certificates generated from Cloudflare. I generated a original server certificate for wild card including other specific domains but facing 520 error after reload the nginx with the following setup

After setting up, I got key.pem and cert.pem to setup the nginx. Then, I created demo.singaporetestlab.com folder under sites-available using

.

sudo nano /etc/nginx/sites-available/demo.singaporetestlab.com

And I filled the following configuration for nginx setting

server {
    listen 80;
    listen [::]:80;
    server_name demo.singaporetestlab.com;
    return 302 https://$server_name$request_uri;
}

server {

    # SSL configuration

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate         /etc/ssl/certs/cert.pem;
    ssl_certificate_key     /etc/ssl/private/key.pem;
    ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
    ssl_verify_client on;

    server_name demo.singaporetestlab.com;

    root /var/www/demo.singaporetestlab.com/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
           include proxy_params;
           proxy_pass http://localhost:3000/;
    }
}

And I used ssl_client_certificate like mentioned in this blog

Then, I moved to sites-enabled using the command

sudo ln -s /etc/nginx/sites-available/demo.singaporetestlab.com /etc/nginx/sites-enabled/

And I restart the nginx, But I’m still facing with 520 error, Did I miss some steps to complete the setup?

phyae · March 24, 2023, 3:29pm

https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-22-04

epic.network · March 24, 2023, 4:15pm

Comment out the following two lines so you can test without authenticated origin pull.

    ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
    ssl_verify_client on;

Authenticated origin pull is a good thing, but it is always good to know whether your site is working as expected before you enable it.

phyae · March 24, 2023, 4:49pm

I’ve already removed these two lines, and the Authenticated Origin Pulls is disabled, but still facing the same issue

epic.network · March 24, 2023, 4:53pm

How about with Cloudflare paused, or at least set to DNS Only for the demo hostname? You should see an untrusted issuer warning for the Cloudflare Origin CA certificate, but you should be able to ignore it and connect anyway.

phyae · March 24, 2023, 4:57pm

I created A type, Is my configuration wrong?

phyae · March 24, 2023, 5:03pm

When I switch to Full strict, I faced Invalid SSL certificate when I visit the page, so it seems like the certificate that I enrolled is incorrect to setup in nginx?

epic.network · March 24, 2023, 5:08pm

Your configuration is not wrong for once things are working.

Right now during testing, you need to connect directly to your origin server. If you switch the Proxied name to DNS Only it will let you connect directly to your server.

I already did this using curl since your IP address is in your screenshot. That direct connection encountered errors and is not using the Cloudflare Origin CA certificate.

curl -vk https://demo.singaporetestlab.com --connect-to demo.singaporetestlab.com:443:165.173.0.221:443
* Connecting to hostname: 165.173.0.221
* Connecting to port: 443
*   Trying 165.173.0.221:443...
* Connected to (nil) (165.173.0.221) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=localhost; OU=localhost; CN=localhost
*  start date: Feb 18 18:07:50 2023 GMT
*  expire date: Feb 15 18:07:50 2033 GMT
*  issuer: O=localhost; OU=localhost; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56156cfb0f80)
> GET / HTTP/2
> Host: demo.singaporetestlab.com
> user-agent: curl/7.79.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host (nil) left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

phyae · March 24, 2023, 5:25pm

But I’ve already enrolled this certificate in Origin Server

epic.network · March 24, 2023, 5:27pm

You may have created a Cloudflare Origin CA certificate for your server, but it is not the certificate that your NGINX is using as you can clearly see in the curl output that I shared in my previous reply.

phyae · March 24, 2023, 5:28pm

Ok thanks for your patience @epic.network. Let me try again and will ask for help if I face some issues on that

system · April 8, 2023, 5:29pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.