Origin CA and SSL Required in IIS10

user4961 · April 15, 2019, 11:53pm

I have a site set up on Cloudflare that is set to full SSL.- my issue is that I get a 403 error if I set “SSL Required” to true in IIS, but the error goes away if I turn it off.

Site uses a Cloudflare origin CA and I also added the intermediate CA as described here https://support.cloudflare.com/hc/en-us/articles/115000479507#h_30cc332c-8f6e-42d8-9c59-6c1f06650639

The bindings on the site in IIS with his CA work - the site works - and it says that the CA is ok.
I am not sure that I have the intermediate set up right so maybe that is the issue.

So
1 - does setting “SSL Required” in IIS matter?
2 - if this does need to be set to true then what could be causing the 403 error?
3 - is the intermediate needed?
4 - could the intermediate CA be the problem and is there a way to test it?

Thanks!

sandro · April 16, 2019, 5:09am

Unfortunately I am not all that familiar with IIS, so it is mostly guessing here, but is this setting related to SSL itself or to client authentication? If it is the latter it could explain the issue and should be disabled. If it is the former it probably should be enabled. Can you post a screenshot of it?

Typically yes, not always though.

If you havent imported it could be, but if you have it shouldnt be.

I would first test it outside of a Cloudflare context and make sure the site is reachable by going directly to the server.

user9693 · April 16, 2019, 6:46pm

Thanks for your reply, getting a late start today.
I think I have things working. Writing everything down as a question seems to often point out the error.
I think the certs were actually working the whole time, the issue was that I did not have Always Use Https=On (although I thought I did).
When I had Require SSL = true in IIS and the page was not posted with https I got the 403 error.
When I set Always Use Https = ON and Auto Https Rewrites = ON it all (seems to) work.

So in answer to to my question I would say that
In IIS you need:
Root Cert
Origin Cert
Require SSL = true (not sure about setting on client cert but Accept seems to work - it should always be coming from CF)
In CF you need
SSL=Full Strict
Always Use Https = On
Auto Rewrite Https = On

sandro · April 16, 2019, 6:56pm

That configuration sounds about right. The client certificate, respectively I assume you mean client authentication, should be most certainly disabled however.

user9693 · April 16, 2019, 8:10pm

Ok - I may have added that to correct the problem I thought I had. I’ll see what happens if I remove that

system · May 15, 2019, 11:53pm

This topic was automatically closed after 30 days. New replies are no longer allowed.