OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

When trying to access a website using Cloudflare certificates in a Linux application, the connection errors with .MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. I have spent two days researching this and have seen others who have just moved on to non-Cloudflare certificates. Although that’s an options, we are a Cloudflare shop so that just seems a stupid compromise. I’ve tried importing the certificates into Linux and into Mono directly (which shouldn’t be necessary) but the error persists and the application c c continues to fail.

Does anyone know how to get openssl to accept Cloudflare certificates?

Thanks for any help or ideas on how to address this problem…

Origin certificates are not supposed to be used in this context, but only by Cloudflare’s own proxies.

If you really need to so however, you need to add the root certificate to your trust store

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates#h_30cc332c-8f6e-42d8-9c59-6c1f06650639

Thank you for responding. I don’t think I was clear enough. The experience I’m describing is a Linux client machine using OpenSSL (the most common form of SSL in Linux), accessing my Cloudflare proxied website running on IIS in Windows Server. I have read threads on various forums on the web of similar experiences that concluded that the solution was to stop using Cloudflare certificates. The root certificate is in the trust store. I followed a rather good article vertbatim by Andrew Hoefling on how to do add Cloudflare certificates to a Windows server (https://www.andrewhoefling.com/Blog/Post/configuring-cloudflare-ssl-certificates-on-windows-server-core-with-powershell). My website is accessible via browsers but not via OpenSSL. Given the postings I’ve seen on the web, this is a known problem. I was hoping that there was a solution other than to stop using Cloudflare certificates. Does this information help any?

As I already said, you need the linked certificate in the trust store, in which case the connection will work. Otherwise you could only ignore certificate warnings, which you shouldnt exactly do.

I certainly won’t be ignoring certificate warnings. Sorry, while my posting didn’t say so, I had already added both the Cloudflare root certificate and the linked certificate to the trust store on the Linux box and synchronized the certificate store. I just did it again for posterity but it doesn’t solve the error. I’m trying to pay attention to what you have written. I’m a web developer trying to make a web application work. I don’t do server and client configurations very often. I’m trying to do my best and research heavily before asking questions. I apologize if I’m annoying you.

No worries, not annoying, but as it is rather about server administration than Cloudflare it is not exactly a topic for the forum here, but rather for StackExchange for example.

Cloudflare’s Origin certificates are only trusted by Cloudflare proxies. If you want to connect to a machine with such a certificate you either the need certificate itself in your local trust store or aforementioned root certificate. That is standard SSL behaviour, hence my suggestion that StackExchange would be suited better.

As I wrote, I put both certs in the trust store. I’ve searched Stack Exchange high and low but I’ll post there and see if that bears fruit. Thank you.

That it is either not the right trust store or whichever client you are using is not using that trust store. Maybe you can force to apply a trusted certificate. Thats all standard SSL behaviour and not specific to Cloudflare.

While the Cloudflare certificates work with browsers, they do not work with the Mono application running on the Raspbian client. RapidSSL and Lets Encrypt certificates work just fine with the client application. As stated, I have synchronized Mono with the certificate store in Raspbian using cert-sync. I do believe there is something that can be done on the client to get it to accept Cloudflare certificates but I can’t figure it out. If changing to non-Cloudflare certificates is considered solved then, yes, I guess this issue is solved.

The cloudflare origin certificates DO NOT work with browsers. As stated in the article @sandro linked to above:

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare.

If you are accessing the origin directly (such as when the hostname is :grey: in Cloudflare) the best solution is to use a certificate from a CA such as Let’s Encrypt. If you don’t control the clients, or cannot change the client, the solution is the same.

Make sure you are adding the Cloudflare Origin CA toot certificates in your local cert store, and not the origin certificate itself.

Thats’s the point. They do not work with browsers.

I am certain I don’t have your knowledge or understanding of certificates. I clearly am not expressing myself appropriately.

What I meant was that browsers can access the website when it’s under a Cloudflare certificate and proxied through Cloudflare. For whatever reason(s) the Mono/Raspbian client application cannot access the website when it is proxied through Cloudflare and using a Cloudflare cert.

Yes, when proxied, browsers can load sites but then you are not dealing with Origin certificates but the regular public proxy certificates.

Here we are not talking about these, but about Origin certificates, right? You are not connecting the proxy but the actual machines, are you not?

No, since I want to use https, I’m connecting via the standard URL to the Cloudflare proxy. Cloudflare has been really nice in that I can just add staging websites and test them before flipping the new server to production by changing the DNS pointer in Cloudflare. It’s my understanding the only way Cloudflare certificates work is through the proxy but, thanks to you, I’ve learned that Cloudflare origin certificates are different. Clearly I should read more about them.

Then we are not talking about Cloudflare certificates, at least not in an Origin context.

If you are connecting to the proxies you will deal with publicly trusted certificates. If you still get that error message, the issue will still be with your local trust store, just that in this case you might actually lack regular publicly trusted CAs.

You really need to check where you are connecting to and what certificate you get and match that against your locally trusted CAs. That’s all.

Of course that is assuming no one is tampering with your network requests.

I appreciate your patience and continued responses.

As I wrote earlier, Cloudflare certificates were installed on the Windows Server per that article I cited by Andrew Hoefling. Per the article, both a standard Cloudflare certificate and the Cloudflare origin certificate was installed on the server. Perhaps that article is wrong, but that’s what I followed.

The Mono/Raspbian app connects just fine when Cloudflare proxy is turned off and the Cloudflare certificate is replaced with a RapidSSL certificate or with a Lets Encrypt certificate.

The CA store in Raspbian is the one supplied to Raspbian/Debian Buster (the most recent version - 10) with the most recent updates available.

The app can connect to the website when certificates by other providers are used (and it is no longer proxied by Cloudflare). When the website is proxied by Cloudflare and Cloudflare certificates are used, browsers can connect to the server but the the app still cannot. I’ve tried putting the Cloudflare certs (both standard and origin) in the Raspbian/Debian store and sychronizing it with Mono using cert-sync. That doesn’t make any difference, the error persists so long as the server is running Cloudflare certificates.

1 Like

Can you share the host name?

1 Like

If you installed something on your server it cannot be a publicly trusted certificate but only an Origin certificate and these do not work out of the box as mentioned in the first reply.

I am afraid your statements are very contradicting. You say you connect to the proxies but then you are referring to “Cloudflare certificates”. Post the URL you are actually connecting to.

1 Like

Thanks for sticking with this.

My contradictory statements are due to my lack of knowledge of how Cloudflare works and nomenclature issues. I take full blame for both. At some point in this conversation I had confused the term Origin certificate with root certificate.

I’ve gotten the Raspbian/Mono app to work by changing the CNAME definition in Cloudflare’s DNS from Proxied to DNS Only. I mistakenly thought that Cloudflare certificates require the URL to be Proxied. I can’t say that I understand why the Mono/Raspbian app cannot access the website via HTTPS when the DNS entry is designated as Proxied rather than DNS Only, particularly when it is accessible in browsers using HTTPS when it is defined as Proxied, but that is certainly the case. I’m not the kind of person who is comfortable with just accepting that something works. It is important to me to understand why this configuration works and the others do not but I realize my ignorance on this issue has been persistently frustrating.

The URL is clouddbstage.madgetech.com

Again, thank you for your help.

1 Like

That is not a proxied address but points straight to Amazon where you have a Lets Encrypt certificate. This neither involves an Origin certificate nor the proxies. If you have difficulties with that certificate it will be what I mentioned at OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

I am afraid at this point we are really beyond a Cloudflare issue and you best take this to StackExchange or similar administration related forums.

What it comes down to is that you need to make sure your system trusts public CAs.

1 Like