Nginx + Origin certificate

Hey, guys! I’m having trouble installing an Origin certificate on my server. Can someone tell me what I’m doing wrong?

Ubuntu 23.10 + Nginx 1.24

  1. SSL/TLS → Overview → Full (strict)
  2. SSL/TLS → Origin Server → Origin Certificates → Create Certificate
  3. Generate private key and CSR with Cloudflare → Create
  4. Save Origin Certificate as cert.pem file and save Private Key as key.pem file
  5. Copy cert.pem and key.pem to /etc/ssl/
  6. Download Cloudflare Origin CA root certificate from here:
  7. cat /etc/ssl/cert.pem /etc/ssl/origin_ca_ecc_root.pem > /etc/ssl/full.pem
  8. check full.pem format:
  1. Adding certificates to nginx server configuration:
    ssl_certificate /etc/ssl/full.pem;
    ssl_certificate_key /etc/ssl/key.pem;
  1. check the nginx configuration and restart it - all OK
root@localhost:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@localhost:~# sudo systemctl restart nginx
  1. Go to my website and and I see that HTTPS isn’t working. Chrome browser has an error:
Subject: CloudFlare Origin Certificate
Issuer: CloudFlare, Inc.
Expires on: 24 Nov 2038
Current date: 29 Nov 2023
  1. Turn on debug mode in nginx logs and find an error:
SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking
SSL_do_handshake() failed (SSL: error:0A000418:SSL routines::tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking

What did I do wrong?

Here’s what else I tried to fix the problem, but it didn’t help:

  1. Use Cloudflare Origin ECC PEM form here:
  2. SSL/TLS → Overview → Full + use only Origin Certificate & Private key without creating CA bundle
  3. Add other SSL options to nginx config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

The Cloudflare origin certificate is only trusted by Cloudflare when connecting to your origin. If you connect to your origin directly in your browser (or when Cloudflare is paused or the record unproxied), you should expect a warning…

This is expected.

If you connect to your proxied hostname, all should work ok.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.