How to use Tunnel without having to also use noTLSVerify?

I’ve got a simple domain setup on an Ubuntu server running Apache (literally just displays an HTML file); I set it up with LetsEncrypt and it was working without issue. I wanted a bit more security so decided to use Cloudflare!

I setup the DNS through Cloudflare and it was working flawlessly once I setup the SSL to use the Cloudflare certs (so it would stop the ‘too many redirects error’). This too, worked really well.

Then I read that I could use Tunnels (and then not have to use port forwarding) so I set one up (following this tutorial: https://www.youtube.com/watch?v=hrwoKO7LMzk)

I can make it work if I set this in my config.yml file:

originRequest:
  noTLSVerify: true

I would like to make it work without having to include that snippet - as I would like it to be secure traffic between CF and my Apache server.

My config file is very simple:

tunnel: <id>
credentials-file: /route/to/<id>.json

ingress:
  - hostname mydomain.com
    service: https://localhost:443

  - service: http_status404

The errors I see in cloudflared service is this:

Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.mydomain.com, mydomain.com, not localhost"

What is the best way to avoid using the noTLSVerify in my config but still getting the tunnel to work?

My Apache VirtualHost looks like this:

<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName mydomain.com
        ServerAlias www.mydomain.com
        DocumentRoot /var/www/html/mydomain/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
#Old Certs From LE
#SSLCertificateFile /etc/letsencrypt/live/mydomain.com-0001/chain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com-0001/private_key.pem
SSLCertificateFile /root/.cloudflared/cf_pem.pem
SSLCertificateKeyFile /root/.cloudflared/cf_key.key
</VirtualHost>

Any help would be greatly appreciated.

If there is no harm/danger/security risks involved with setting noTLSVerify to true, then I will use it, but otherwise I would prefer not to - just can’t figure out how not to!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.