Origin certificate not verifying

Hi,

I am getting “Your connection is not private” even though I have installed the origin cert and private key.

I have been working on this for a couple of days now.

I am running ubuntu 20.04. Yesterday I removed then re-installed Apache2

I have run a2enmod ssl
got this response:

[email protected]:/etc/apache2/sites-available# a2enmod ssl 
Considering dependency setenvif for ssl: 
Module setenvif already enabled 
Considering dependency mime for ssl: 
Module mime already enabled 
Considering dependency socache_shmcb for ssl: 
Enabling module socache_shmcb. 
Enabling module ssl. 
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. 
To activate the new configuration, you need to run:   systemctl restart apache2

This is my nslookup and ping:

C:\Users\David> nslookup good-health.ml
Server:  routerlogin.net
Address:  192.168.0.1

Non-authoritative answer:
Name:    good-health.ml
Address:  5.101.140.50

C:\Users\David>ping good-health.ml

Pinging good-health.ml [5.101.140.50] with 32 bytes of data:
Reply from 5.101.140.50: bytes=32 time=19ms TTL=53
Reply from 5.101.140.50: bytes=32 time=27ms TTL=53
Reply from 5.101.140.50: bytes=32 time=20ms TTL=53
Reply from 5.101.140.50: bytes=32 time=19ms TTL=53

Ping statistics for 5.101.140.50:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 27ms, Average = 21ms

This is my .conf file for the domain:

[email protected]:/etc/apache2/sites-available# cat good-health.ml.conf
<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName good-health.ml
    ServerAlias www.good-health.ml

    Redirect / https://good-health.ml/

    ErrorLog /var/log/apache2/good-health/error.log
    CustomLog /var/log/apache2/good-health/access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName good-health.ml
    ServerAlias www.good-health.ml
    DocumentRoot /var/www/good-health.ml

    <Directory /var/www/good-health.ml>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog /var/log/apache2/good-health/error.log
    CustomLog /var/log/apache2/good-health/access.log combined

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
    SSLCertificateFile /etc/mycerts/good-health.ml/cf_origin_cert.pem
    SSLCertificateKeyFile /etc/mycerts/good-health.ml/cf_private_key.pem
</VirtualHost>

This is the ONLY domain in the sites-enabled directory

This is my Cloudflare settings:

It is set to Full(strict)

As you can see I created an Origin Cert and Private Key.

This is how I did it...

Went to the location /etc/mycerts/good-health.ml/
and vi cf_origin_cert.pem
then i (for insert)
and pasted the origin cert into the vim editor, then closed it with escape :wq

I did the same for the private Key at /etc/mycerts/good-health.ml/cf_private_key.pem

I checked that they looked ok.

Is there anything wrong with this method ?

Are you sure the record is currently proxied in the dashboard? Try setting it to DNS Only and then back to proxied.

5.101.140.50 isn’t Cloudflare - and that’s why you see the origin certificate since you’re hitting your origin instead of Cloudflare.

That was a fast reply , thanks.

OK I have de-proxied to DNS only

Yes 5.101.140.50 is the dedicated server I use at UKServers

Should I now put it back on Proxy ? or run a test ??

It’ll need to be proxied since only Cloudflare trusts your origin certificate - pop them back onto the orange cloud.

OK Done that,

Just ran an openssl check …

[email protected]:/etc/apache2# openssl s_client -showcerts -servername good-health.ml -connect 5.101.140.50:443 -quiet </dev/null
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify error:num=21:unable to verify the first certificate
verify return:1

Because you’re connecting to the origin directly (you’re overriding it with -connect 5.101.140.50:443)

That output is fully expected - you’re bypassing Cloudflare.

Wait for dig good-health.ml @1.1.1.1 to return two Cloudflare IPs and then try load up the site in a browser.

1 Like

I am still getting the error from good-health.ml

Ahh - ok , I see.

Never used DIG

Here is the response


[email protected]:/etc/apache2# dig good-health.ml @1.1.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> good-health.ml @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18046
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;good-health.ml.                        IN      A

;; ANSWER SECTION:
good-health.ml.         3600    IN      A       5.101.140.50

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri May 06 14:37:23 BST 2022
;; MSG SIZE  rcvd: 59

Will it take a while before the proxy takes effect ?

Is my configuration looking OK ?

DNS is showing an A record for 5.xxx.xxx.50 for your domain and that you’re using Freenom nameservers.

$ whois good-health.ml
   Domain Nameservers:
      NS01.FREENOM.COM
      NS02.FREENOM.COM
      NS03.FREENOM.COM
      NS04.FREENOM.COM
$ dig good-health.ml

; <<>> DiG 9.16.27-Debian <<>> good-health.ml
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25465
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;good-health.ml.                        IN      A

;; ANSWER SECTION:
good-health.ml.         3238    IN      A       5.101.140.50
1 Like
Domain Nameservers:
      NS01.FREENOM.COM
      NS02.FREENOM.COM
      NS03.FREENOM.COM
      NS04.FREENOM.COM

It doesn’t look like you’re actually using Cloudflare at the moment - as @jwds1978 has posted as I’m typing haha.

You need to use Cloudflare nameservers for any of this to work.

1 Like

Oh my … How embarrassing !!!

I must have had them at one pint for CF to show it was protecting…
then maybe I changed them back ???

Thanks for checking that.
I have made the change now.

OK this is my new DIG

[email protected]:/etc/apache2# dig good-health.ml @1.1.1.1

; <<>> DiG 9.16.1-Ubuntu <<>> good-health.ml @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38487
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;good-health.ml.                        IN      A

;; ANSWER SECTION:
good-health.ml.         300     IN      A       172.67.193.33
good-health.ml.         300     IN      A       104.21.20.145

;; Query time: 416 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri May 06 14:52:37 BST 2022
;; MSG SIZE  rcvd: 75

But no change in my browser response.

It may take a little while for the DNS changes to take effect.
At my side it seems to already work

1 Like

Wow,

I hope I see that !

That will be the first time the Full (Strict ) has worked !!

So,
Now I want to load Wordpress Multisite so I can have a few subdomains on this.

Thanks for helping.

It can take up to 72 hours or so for DNS to fully propagate across the Internet. But, can see that you’ve updated the nameservers though:

$ whois good-health.ml
   Domain Nameservers:
      CORY.NS.CLOUDFLARE.COM
      JILL.NS.CLOUDFLARE.COM

Just be sure that your DNS record(s) within your Cloudflare dashboard is proxied (orange-cloud). If you change them back to unproxied (gray-cloud), the origin certificate will be untrusted by Web browsers.

Works for me now too.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.