Installing Cloudflare Origin CA certificate at ISPConfig to make Full SSL (Strict) with Authenticated Origin Pulls (if possible)?

Recently, after a while I proceeded with known steps to install Cloudflare Origin CA certificate at my host/origin.

Using Nginx Web server (Debian - LEMP) and ISPConfig interface.

But, this time, I was quite a bit confused regarding the ISPConfig interface fields and Cloudflare screen when I was provisioned with CSR and KEY.

I remember the BEGIN CERTIFICATE is not the same as BEGIN REQUEST CERTIFICATE.

The screen at Cloudflare first said “Certificate Signing Request (CSR)” - the request was on my mind, and while I know I usually put the value of the Cloudflare in the field “SSL cert”, not in “SSL request”.

Moreover, second screen goes “Save the certificate …”.

That point I was “what?”. Maybe I was confused because of some SSL providers gave me the “BEGIN REQUEST CERTIFICATE” so I was using “SSL request” field, while now I use “SSL cert field”.

And the final step I do “Save certificate” as an action at ISPConfig interface.

Or it actually is, I am doing it wrong obviously?

  1. SSL Key field → private key
  2. SSL zahtjev (request) field → for example, using first time when I purchase an SSL certificate from Namecheap (to generate, later on we remove it)
  3. SSL certifikat (certificate) field → now I used it when generating Cloudflare CA Origin
  4. SSL paket (bundle) → using Cloudflare Root CA?

I feel I am doing something wrong here, even with the “SSL bundle” field where I paste the Cloudflare Root CA :upside_down_face: :thinking:

Obviously I forgot how to do it using “click, click, click” (to get vhost file using an GUI), which is not the same as writing directly to vhost file CLI :laughing:

Maybe, foreafter I shoud write a tutorial just in this case with ISPConfig :smiley:

More strange thing is the fact it works on Full SSL (Strict) and Authenticated Origin Pulls enabled (had modified vhost file later for it).

Thank you

Just to note: The Website I am doing it for hasn’t had any SSL certificate before (only HTTP and Flexible SSL mode enabled).

Maybe I am confused due to “naming” like “bundle” “ca root certificate” “csr” “certificate” “request”? (regardless the native Croatian language configured at ISPConfig interface)

Also I checked again for steps as I do on Nginx here:

But, my gosh, what am I doing here …

From ISPConfig manual as stated:

On the SSL tab you can create a self-signed SSL certificate together with a certificate signing request (CSR) that you can use to apply for an SSL certificate that is signed by a trusted certificate authority (CA) such as Verisign, Comodo, Thawte, etc. It’s not necessary to buy such a trusted SSL certificate, but you should note that if you use a self-signed SSL certificate, browsers will display a warning to your visitors.

Please note that you can have just one SSL web site per IP address, unless you use SNI. SNI is short for Server Name Indication and allows you to run multiple SSL vhosts on one IP address. Please note that currently SNI is not supported by all browsers/operating systems.

To create a self-signed certificate, please fill out the fields State, Locality, Organisation, Organisation Unit, Country, and SSL Domain, and then select Create Certificate from the SSL Action drop-down menu, and click on Save. Leave the fields SSL Key, SSL Request, SSL Certificate, and SSL Bundle empty - the fields SSL Key, SSL Request and SSL Certificate will be filled out by the system.

After the self- signed certificate was created, you will find data in the SSL Key, SSL Request, and SSL Certificate fields (it can take one or two minutes until the data appears in the fields).

If you want to buy an SSL certificate from a trusted CA, you have to copy the data from the SSL Request field - this is the certificate signing request (CSR). With this CSR, you can apply for a trusted SSL certificate at your CA - the CA will create an SSL certificate from this CSR, and you can paste the trusted SSL certificate into the SSL Certificate field. Sometimes your CA will also give you an SSL bundle - paste this into the SSL Bundle field. Select Save Certificate from the SSL Action drop-down menu and click on the Save button. You have just replaced your self-signed certificate with a trusted SSL certificate.

If you already have an SSL certificate that you would like to use with this web site, it’s not necessary to create a self-signed certificate first. Just paste the key, the certificate, the bundle certificate (if needed) and the CSR (optional, but will be needed if you want to buy a new certificate for the same key, for example after the old certificate has expired) in the appropriate fields, select Save Certificate from the SSL Action drop-down menu and click on Save (the other fields such as State, Organisation, etc. can be left empty).

To delete a certificate, select Delete Certificate from the SSL Action drop-down menu and click on the Save button.

My NGINX server only uses two certs in the server {} block:
ssl_certificate /etc/nginx/conf.d/example.d/server.crt; (Cert)
ssl_certificate_key /etc/nginx/conf.d/example.d/server.key; (Private Key)

And nothing else. I don’t use a CSR. I don’t use the Root CA cert.

But if ISPConfig wants you to use the CSR method, then go ahead so you have something to put in to Box #2. For the Bundle, I can only think of the Root CA cert.

1 Like

Or actually is like Cloudflare Origin CA is “certificate” and if I combine it with Cloudflare Root CA would give me the “bundle” one for the “SSL bundle field” at ISPConfig?

Meaning, copying Cloudflare Root CA is not the same as usually we combine certificate and CA to get bundle , right?

Exactly. Thanks :slight_smile:

That GUI just makes me nervous :smiley:

Speaking of the CSR, if you’re going to use that, make sure you feed it into Cloudflare so everything validates.

1 Like

Interesting, when I fill in the SSL certificate field with Cloudflare Origin CA which I generated at Cloudflare dashboard and using the Private Key also generated at Cloudflare I have mydomain.tld.key and mydomain.tld.key (two) files saved under /var/www/mydomain/ssl/.

Nevertheless, even if I fill in the SSL bundle field (pasting the cloudflare origin ca and cloudflare root ca) it does not save them as “bundle.crt”, neither the mydomain.tld.crt file is modified.

Or maybe the cloudflare root ca should be uploaded under /etc/ssl/ only in case if needed or missing or any other errors appear.

Okay, it works with the “two” one with wich I know and I usually go (crt file and key file) when using CLI to edit Nginx vhost file.

I will test that out both with :orange: and :grey: to see what is behind it for an SSL connection.

That’s what this is for:
curl -svko /dev/null https://example.com --connect-to ::123.123.123.123

1 Like

curl -svko /dev/null https://mysite.tld --connect-to ::i.p.v.4 with Cloudflare Origin CA certificate gives me:

* Expire in 0 ms for 6 (transfer 0x556b4ede1b70)
* Connecting to hostname: i.p.v.4
*   Trying i.p.v.4...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x556b4ede1b70)
* Connected to i.p.v.4 (i.p.v.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [204 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2286 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
} [8 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Mar 12 01:27:00 2021 GMT
*  expire date: Mar  8 01:27:00 2036 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL ECC Certificate Authority
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x556b4ede1b70)
} [5 bytes data]
GET / HTTP/2
Host: mysite.tld
User-Agent: curl/7.64.0
Accept: */*

And when I go with curl -v --capath /etc/ssl/certs https://mysite.tld, result is:

* Expire in 3 ms for 1 (transfer 0x5643ec3f0b70)
*   Trying 104.21.55.69...
* TCP_NODELAY set
* Expire in 149995 ms for 3 (transfer 0x5643ec3f0b70)
* Expire in 200 ms for 4 (transfer 0x5643ec3f0b70)
* Connected to mysite.tld (104.21.55.69) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Oct  5 00:00:00 2020 GMT
*  expire date: Oct  5 12:00:00 2021 GMT
*  subjectAltName: host "mysite.tld" matched cert's "*.mysite.tld"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5643ec3f0b70)
GET / HTTP/2
Host: mysite.tld
User-Agent: curl/7.64.0
Accept: */*

I believe this is ok and working as expected due to having Full SSL (Strict) also using Auth Origin Pulls because when I put Disabled for Auth Origin Pulls at Cloudflare Dashboard I got expected error:

# 400 Bad Request
No required SSL certificate was sent
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.