Origin Server and Edge Certificate

I have a website, and I have used Cloudflare to generate an “Origin Server” Certificate. I then installed the origin certificate on my Apache web server. I have also set up my DNS records, and they are proxied through Cloudflare.

Now, when I access my website through the internet, which goes through Cloudflare, I see a lock icon next to the URL, indicating that my connection is secure. This is good.

The problem arises when I try to access my website internally, using the private IP address of my server. I receive an SSL certificate warning stating that the website certificate is not trusted. After conducting a quick search, I discovered that this is because the “Origin Server” Certificate is not a browser-trusted certificate.

My questions are: How can I make my website trusted by browsers, whether it is accessed from the internet through Cloudflare or internally through the private IP address? Is the edge certificate the solution to my issue? How can I obtain the edge certificate as a file and install it on my web server (Apache)?

I would greatly appreciate step-by-step instructions.

Thank you very much for your assistance.

The edge certificate is for the “edge”, where user requests connect to Cloudflare. It is not for your origin.

You need a signed certificate from Letsencrypt or another CA to have a full certificate in place on your origin.

Allowing access to your origin without going through Cloudflare means Cloudflare’s protections are bypassed so you really should ensure users can only reach the server through Cloudflare, block direct access by using your firewall and maybe authenticated origin pull.

1 Like

Can I get my certificate signed from Cloudflare since I have Business Plan?

I don’t want to create another account with other public CA.

Cloudflare doesn’t sign edge certificates, it uses external CAs.

With a business account you can upload your own certificate to the edge, but that’s the opposite of what you want!

You don’t need an account with a CA. Just generate a free LE certificate with certbot…

So I have to upload my own certificate to Cloudflare and it will be signed by one of the CAs cloudflare partnered with?

No, the LetsEncrypt certificates are just normal SSL certificates, not specific to Cloudflare. Therefore they are trusted by all browsers (and therefore Cloudflare’s proxy as well).

Just run certbot on your server and it will generate and sign a certificate with Letsencrypt and can install it into Apache’s configuration for you if you wish.

Nice, thanks!
Is LetsEncrypt free?

Yes.

I manually generated new wildcard certificate using certbot and successfully installed it in my web server. However, when I access my website, I get a cloudflare error message “Bad gateway”.

Browser: check mark :white_check_mark:
Cloudflare: check mark :white_check_mark:
Host: cross mark :x:

I still have my origin server certificate in my cloudFlare account.

  • do I have to revoke this certificate to resolve my issue?
  • or do I have to upload my new LetsEncrypt Cert. to the edge certificate in cloudFlare?

Please help.

Thanks,

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.