Origin Server Certificate - 400 Bad Request The SSL certificate error on Nginx

Hi, I’m trying to configure nginx that will accept requests only from cloudflare servers by using certs.

I’m getting the error:

400 Bad Request
The SSL certificate error
nginx/1.22.0 (Ubuntu)

I tried with the Ingress-NGINX and I had the same error. Then I decided that I will try it with a basic Nginx webserver.

Here’s the Nginx configuration:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl on;
    server_name app.example.com www.app.example.com;
    ssl_certificate         /etc/nginx/ssl/tls.pem;
    ssl_certificate_key     /etc/nginx/ssl/key.pem;
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;
    location / {
        root /var/www/html;
    }
}
  • tls.pem & key.pem - generated in Cloudflare Panel → SSL/TLS → Origin Server → Create Certificate → RSA (2048) → Hostnames app.example.com
  • ca.crt - taken from https://developers.cloudflare.com/ssl/static/origin_ca_rsa_root.pem
  • Authenticated Origin Pulls - enabled
  • SSL/TLS encryption mode - Full ; I tried also with Full (strict)
  • In DNS zone the A record has the proxy enabled

FYI the ingress config was pretty the same:

  metadata:
    name: nginx-web
    namespace: test
    annotations:
      nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
      nginx.ingress.kubernetes.io/auth-tls-secret: "test/cloudflare-ca" # I tried with the ca itself and with the tls+ca and with the tls+ca+key
      # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" # changing the value also didn't help
      # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" # didn't help
  spec:
    ingressClassName: nginx
    (...)
    tls:
        - hosts:
            - app.example.com
          secretName: cloudflare-tls

Am I missing something?

I forgot to upload the logs:

2023/12/23 13:08:48 [debug] 3760#3760: *1 verify:0, error:20, depth:0, subject:"/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./OU=Origin Pull/CN=origin-pull.cloudflare.net", issuer:"/C=US/O=CloudFlare, Inc./OU=Origin Pull/L=San Francisco/ST=California/CN=origin-pull.cloudflare.net"
2023/12/23 13:08:48 [info] 3760#3760: *1 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: xx.xx.xx.xx, server: app.example.com, request: "GET / HTTP/2.0", host: "app.example.com"
2023/12/23 13:08:48 [info] 3761#3761: *2 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: xx.xx.xx.xx, server: app.example.com, request: "GET /favicon.ico HTTP/2.0", host: "app.example.com", referrer: "https://app.example.com/"

For origin pull, this is the certificate you need…
https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem

see…

(although better to use your own later as that extends to protect from other Cloudflare accounts pointing at your server).

2 Likes

Thanks!!
It worked even with my own CSR as you suggested with the CA that you provided.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.