While it is possible to run multiple tunnels associated with the same domain in a single host, it is not possible to run multiple tunnels when the domains associated with them are not the same, at least not seamlessly. Currently, in order to achieve this you need to:
- Initiate tunnel login for domain 1, which creates the cert.pem in /root/.cloudflared/
- Create tunnel(s) for domain1 and start them.
- Rename cert.pem in /root/.cloudflared file to something else, for example domain1.cert.pem
- Initiate tunnel login for domain 2, this generates a new cert.pem file in /root.cloudflared
- Create tunnels for domain 2 and start them.
At this point, if tunnel 1 needs to be restarted, it will fail unless we rename the cert.pem created for domain2 and then rename back the one for domain1 as cert.pem in /root/.cloudflared/
The issue is that, while we are able to tell cloudflared which config file to use via the --credential-file global option, the binary is hardcoded to look for the certificate file as /root/.cloudflared/cert.pem and we cannot override this. This limitation also makes it impossible to run multiple tunnels for separate domains as a service, since the result would be that one of them will fail to recover upon a restart or reboot of the host.
Adding a newglobal option in cloudflared for --certificate-file (for example) would solve this limitation and allow the tunnels to coexist seamlessly and also run as a service.
That sounds like what the
--origincert option is used for. I renamed a cert.pem to
cyberjake.xyz.pem and another to
cyberjake.cf.pem and can use
cloudflared tunnel --origincert <cert/path> tunnel run just fine.
I’m running the 2022.4.1 build of cloudflared and I don’t see
--origin-cert listed as a valid option. Here’s the output of
[email protected]:/home/linuxadmin# cloudflared --help
cloudflared - Cloudflare's command-line tool and agent
cloudflared [global options] [command] [command options]
2022.4.1 (built 2022-04-12-1614 UTC)
cloudflared connects your machine or user identity to Cloudflare's global network.
You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
and configure access control.
See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.
update Update the agent if a new version exists
version Print the version
proxy-dns Run a DNS over HTTPS proxy server.
service Manages the cloudflared system service
help, h Shows a list of commands or help for one command
access, forward access <subcommand>
tunnel Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.
--credentials-file value, --cred-file value Filepath at which to read/write the tunnel credentials [$TUNNEL_CRED_FILE]
--region value Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region. [$TUNNEL_REGION]
--overwrite-dns, -f Overwrites existing DNS records with this hostname (default: false) [$TUNNEL_FORCE_PROVISIONING_DNS]
--help, -h show help (default: false)
--version, -v, -V Print the version (default: false)
(c) 2022 Cloudflare Inc.
Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
@Cyb3r-Jak3, thanks for pointing this out. I simply assumed it was not possible to point to a cert file based on the output of the --help flag. Didn’t expect the command output to be incomplete.
Yeah, I believe the
--origincert flag is only available for the tunnel subcommand.
Awesome, I was able to setup the two tunnels I wanted. Thanks again. If you have the ability to do so, feel free to close this thread.