"No required SSL certificate was sent" error using Authenticated Origin Pulls with custom certificate

The Issue: visiting my site results in “400 Bad Request (No required SSL certificate was sent)”.

Current State: I have configured the server to request a client certificate, uploaded my self-signed certificate to Cloudflare and enabled “Authenticated Origin Pulls”.

Troubleshooting:

  1. I see this on my Nginx error log:
2022/08/04 15:21:44 [info] 346#346: *37 client sent no required SSL certificate while reading client request headers, client: 162.158.38.80, server: example.com, request: "GET / HTTP/1.1", host: "www.example.com"
2022/08/04 15:21:45 [info] 346#346: *38 client sent no required SSL certificate while reading client request headers, client: 162.158.38.36, server: example.com, request: "GET /favicon.ico HTTP/1.1", host: "www.example.com", referrer: "https://www.example.com/"
  1. I checked again using the command line API that the certificate is on Cloudflare:
$ curl -X GET https://api.cloudflare.com/client/v4/zones/$zone-id/origin_tls_client_auth -H "X-Auth-Email: $authemail" -H "X-Auth-Key: $authkey" -H "Content-Type: application/json"

{"success":true,"errors":[],"messages":[],"result":[{"id":"...","status":"active"..."result_info":{"page":1,"per_page":50,"count":1,"total_count":1,"total_pages":1}}
  1. Browsing to the IP directly and selecting a certificate on my browser, loads the site fine.

Additional Troubleshooting

Based on the API docs I checked whether the setting was enabled:

$ curl -X GET https://api.cloudflare.com/client/v4/zones/$zone_id/origin_tls_client_auth/settings -H "X-Auth-Email: $authemail" -H "X-Auth-Key: $authkey" -H "Content-Type: application/json"

{"success":true,"errors":[],"messages":[],"result":{"enabled":false}}

I was getting false even though it was enabled on the Dashboard UI! Tried enabling through the API:

$ curl -X PUT https://api.cloudflare.com/client/v4/zones/$zone_id/origin_tls_client_auth/settings -H "X-Auth-Email: $authemail" -H "X-Auth-Key: $authkey" -H "Content-Type: application/json" --data '{"enabled":true}'

{"success":true,"errors":[],"messages":[],"result":{"enabled":true}}

Checked again:

$ curl -X GET https://api.cloudflare.com/client/v4/zones/$zone_id/origin_tls_client_auth/settings -H "X-Auth-Email: $authemail" -H "X-Auth-Key: $authkey" -H "Content-Type: application/json"

{"success":true,"errors":[],"messages":[],"result":{"enabled":true}}

Now it says enabled on both the Dashboard and the API, however, the error persists.

Background:

My website was working fine with HTTPS on Full (strict) SSL/TLS mode, after installing the Cloudflare Origin CA certificate on the server.

Then I decided to also enable Authenticated Origin Pulls, following the instructions for customer certificates.

I tried with both Full and Full (strict) modes, but I get the same error on both.

How can I troubleshoot this further? Thank you!

Do you actually have Authenticated Origin Pulls turned on for the domain? It’s a different API endpoint than the one you quoted. But I’ve always just turned it on through the dashboard.

That’s actually the first thing you want to turn on, before you even put any of the config on your server. Turning this on shouldn’t break anything even if the server isn’t set up yet. All it does is tell Cloudflare to try to present the client certificate (and if the server doesn’t care it’ll just disregard it). So I have it turned on for all my domains.

I did enable it through the Dashboard, not the API. That’s probably a good idea, but I wanted to first see the error and then enable it to make it work, test-driven development mindset, I guess.

So yes, it is enabled, just like your screenshot. Thanks.

I personally have never used the “customer certificate” option for Authenticated Origin Pulls so I can’t say too much about it but it appears to be more complex than just using the standard Cloudflare .pem

Have you tried the “Cloudflare certificate” (first option) method in Set up authenticated origin pulls · Cloudflare SSL/TLS docs ? It was super easy to set up, didn’t have to touch the API at all.

1 Like

You’re right, that’s definitely a far easier option, looks similar to the “Cloudflare Origin CA certificate” which was fairly simple to setup. I have not yet tried this way and instead went through the long route which took a while because my certificate was initially getting rejected, etc…

The reason I chose this option is because I can fully test the production setup locally or through the IP address because I have the private key for my own certificate. If I understand correctly, using Cloudflare’s certificate, only Cloudflare will be able to talk to the production server. Which is what I want, except I want to be able to test it directly as well. Of course I could have a separate development configuration without the SSL client verification, so I might go for this alternative as a backup option, if no solution is found. Thanks.

Added some more troubleshooting steps to the original post, now I checked and enabled Authenticated Origin Pulls through the API as well. Also, just double-checked that the zone ID is the correct one.

Update: realized that the Nginx documentation says that a list of CA certificates can be sent in a single file. This means that I could use Cloudflare’s certificate and still be able to test the same configuration locally, which would be a fine workaround. So I concatenated my local CA with Cloudflare’s CA. This worked locally but the error persisted when deployed.

Finally, I tried the fallback solution and did the Zone-Level Cloudflare certificate, i.e. using only the Cloudflare certificate as per the first option in the documentation. Nginx still complains that it receives no client certificate.

So I am unable to get Authenticated Origin Pulls to work in any configuration.