Origin SSL certificates - Issuer/CA

Hi there,

I have a number of services that I have provided the Certificate file (.crt) and Key file (.key) to provide HTTPS to my web services. How do I go about getting the Issuer/CA .crt file?


Not sure if this is what you are after

but generally speaking you should never really deal with the certificate yourself, that should be only the proxies.

I have had a look at this previously, essentially I’m looking for a certificate file that has the authenticity of the issuer.

My setup:
Cloudflare/Proxied-SSL —> Router ----> Nginx Reverse proxy (Origin SSL enabled) ----> Web services (… with SSL files locally)

Well, that would be aforementioned certificate. Do you want this for network-internal requests which do not go via the proxies?

Everything is dedicated-hosted so all would need to be external.

So what I’m doing at the moment, is moving from a hosted web server to self-hosted through OVH on an ESXi VM container. I am using a Wordpress auto-migrator tool and am getting this error. It appears to not be able to verify the issuer, which is something I have possibly needed in the past for my Postfix mail server too.


I am moving my site: https://stellar-network.co.uk to https://migration.stellar-network.co.uk (temp domain)

If it becomes too much of a pain I can just manually migrate if the plugin has issues with SSL

In that case you might need to specify mentioned root certificate as trusted root certificate. But again, these requests should not go directly in the first place but via the proxies, in which case you will never deal with the Origin certificate.

Anyhow, try that certificate. Also, Origin certificates won’t be a good idea for anything mail related. You should be using them really only in a proxied context.

I will look into that

Thing I’ve just realised is, not sure if my SSL certificates are coming through the Cloudflare SSL proxy, or through Nginx Reverse Proxy as they are being issued as the traffic passes through Nginx…

So possibly if I remove the SSL element from Nginx, I will not have the CA/Issuer problem(?)

You can’t remove SSL from your server as you still need a certificate there but if it is something public you should choose Lets Encrypt instead.

That error message looks like something browser related in which case your server might try to connect to itself and that would be an internal connection and aforementioned issue. You either import said certificate or use something which your system will trust by default (e.g. Lets Encrypt).

I see what you’re saying, would this be running LetsEncrypt on each web server instance? Or running multiple LE certs on the Nginx reverse proxy?

I am afraid your setup is not entirely clear to me.

Are you saying you have the Cloudflare proxies connect to your Nginx instance, which then forwards requests within the local network to other web servers?

CloudFlare SSL/Proxy —> Nginx Reverse Proxy (SSL Origin cert assigned to each subdomain —> web services

Both the Cloudflare Proxy and Nginx are applying SSL to the services. Nginx is using the Origin cert to apply SSL


(Ignore the internal IP address there, purely for testing)

In that case you definitely need a certificate on your reverse proxy and - depending on how “internal” your network is - possibly also on your actual web servers.

IMHO it’s this issue

1 Like

My network consists of one physical host, running ESXi, with a vRouter (pfSense) and Nginx Reverse Proxy and then web services behind it

I do have SSL certs being applied through Nginx as the screenshots show

I’m going to try removing SSL certs on my server-side overall and see if Cloudflare will handle it, as well as removing the SSL from Nginx and having each web server running LetsEncrypt

Not sure about your last sentence. You can’t remove SSL from Nginx, unless you take Nginx completely out of the equation and proxy directly to your SSL-enabled web servers.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.