I have tried making my own CSR and key file from step-ca along with getting a CSR and key file from cloudlare under client certs for mTLS. I have my domain added and I have a WAF rule set as well. None of this is the issue since the client cert does not have a chain of trust.
What steps have you taken to resolve the issue?
Trying to get the cloudflare managed CA so that I can get the cert to be trusted. I am simply trying to add the client cert to any browser for client side mTLS, but I am obviously missing something. Any help would be appreciated.
It looks like I made a minor error in my description of the problem.
With regard to the cloudflare client cert made, It doesnt generate a CSR, it actually does generate the pem/crt file. However, even then, I still have no chain of trust for it in a browser because I dont have the chain of trust and so my question is how do I fix this?
I read I can use warp, but I am trying to not have to need to use that and just want the cert that would complete the chain of trust on my client machine. I cant understand why this is so cryptic.
I am not understanding why we cant simply get the Managed CA that is specifically for our own accounts? It doesn’t make sense, especially knowing it is literally required to create a chain of trust on the client device/machine. I also don’t see that anywhere in the docs and I have been on this for days and days. Even if it were in the docs, “just because” wouldnt really be much for an explanation from some sort of a security reason. This has tripped up a ton of people and there is almost nothing about it anywhere with respect to chain of trust.
I have tried several things. The last one being making a cert and key pair (PEM) ECC from cloudflare. I then added the firewall rule:
(http.host in {“*.domain.com”} and not cf.tls_client_auth.cert_verified)
I also have {domain.com, *.domain.com} listed to enable mTLS in the client certificate tab.
If you imported the cert into windows, when you open it, is it trusted? Thats where I am having an issue. I get a 520 error when I try to load a page that requires a client cert for mtls.
hmm… thats interesting as this also happens on my android phone. I am at a loss here
i have this working through a local CA with local dns so I know it is set up properly, just cloudflare maybe isnt. can you maybe show me how you have your firewall set and did you do anything special to create the cert or name it a certain way?
I just wanted to add that I think I have it working here on a browser, but only when I am connected through my own DNS servers. If i use 1.1.1.1 or similar, thats when I get the 520 error. My setup involves a reverse proxy (traefik). but for something not local, I dont know why using an external DNS would prevent it from working.
Created a client cert on Cloudflare. Saved key.pem and cert.pem on my PC and converted it to .p12 like this: openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem (I had to create a password in this step).
Went to chrome settings, clicked Manage Certificates, which opens the Windows certificate settings. Imported the certificate, entered cert password again.
Created WAF rule in Cloudflare like this: (http.host eq "test.laudian.de" and http.request.uri.path eq "/mtls" and not cf.tls_client_auth.cert_verified)
Then block
Restart Chrome and visit test.laudian.de, I get prompted for the certificate:
If you have a (potential) DNS problem, it would help if you could share your actual domain and could show results of lookup with the different resolvers you mentioned.
Do you get to the point where you are prompted for a certificate and blocked with a 403 if you don’t select one?
yes, I am getting the part regardless of DNS provider to where is requests the client certificate. I just need to figure out what happens after that to get me this 520 error. Its not very descriptive. Im about to do a few dig commands to see if I can see anything going on
I got it figured out. It was a case of PBKAC. Thanks for your help!
I was trying to double dip on mTLS so it would never have worked that way. I have one domain set for local DNS and another one set for external. works great!
