Origin Certificate Failing


#1

OK, I’m sure this is dumb, but pulling my hair out … :-(. I’m running an Apache server, and just changed my LetsEncrypt certificates (crt and key) over the the CloudFlare generated Origin Certificate. But, some problems,

  1. With the RSA certificate, I get " Your connection is not private" in Chrome.
  2. With the ECDSA certificate (tried both!), I get “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

Any suggestions?

Thanks!


#2

Is your site running through Cloudflare? The Cloudflare Origin Certificate is a behind-the-scenes SSL that Cloudflare will recognize when proxying your site. What the visitors see should be independent of SSL on your server.

What’s the domain?


#3

Nope, not through Cloudflare - rather direct (that’s what the Origin Certificate is for, no?).

I have gone back to the “old” LE cert, but can change to the Cloudflare one if you want to check it out.

Thanks!


#4

The Cloudflare Origin certificate is basically a self-signed certificate that only Cloudflare recognizes. It’s not clearly explained…until you get to the “fine print” at the bottom of the support page.


#5

OK, that makes sense … sort of … :-). I have also tried enabling HTTP Proxy (i.e. orange, through Cloudflare), still the same issue. Definitely could be me though.

Thanks!


#6

With :orange:, you’ll get a similar error if Cloudflare’s SSL certificate hasn’t been activated for your domain on the proxy server. Just keep an eye on the top section of the Crypto page for the SSL Status.


#7

Yep, that makes sense. Thanks! OK, I enabled HTTP proxy (orange cloud), and let it update (made sure IP address changed) … but now the browser says,
NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN

This may be the SSL Status you refer to - but I checked, not sure I really see a “status”. May be me though.

Thanks!


#8

OK, sorry for the sidetrack - seems this issue was client (Chrome) related! Had to clear everything out there, got it working now. Thanks so much for the pointers!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.