Please allow specifying cloudflared tunnel pem file location

While it is possible to run multiple tunnels associated with the same domain in a single host, it is not possible to run multiple tunnels when the domains associated with them are not the same, at least not seamlessly. Currently, in order to achieve this you need to:

  1. Initiate tunnel login for domain 1, which creates the cert.pem in /root/.cloudflared/
  2. Create tunnel(s) for domain1 and start them.
  3. Rename cert.pem in /root/.cloudflared file to something else, for example domain1.cert.pem
  4. Initiate tunnel login for domain 2, this generates a new cert.pem file in /root.cloudflared
  5. Create tunnels for domain 2 and start them.

At this point, if tunnel 1 needs to be restarted, it will fail unless we rename the cert.pem created for domain2 and then rename back the one for domain1 as cert.pem in /root/.cloudflared/

The issue is that, while we are able to tell cloudflared which config file to use via the --credential-file global option, the binary is hardcoded to look for the certificate file as /root/.cloudflared/cert.pem and we cannot override this. This limitation also makes it impossible to run multiple tunnels for separate domains as a service, since the result would be that one of them will fail to recover upon a restart or reboot of the host.

Adding a newglobal option in cloudflared for --certificate-file (for example) would solve this limitation and allow the tunnels to coexist seamlessly and also run as a service.

That sounds like what the --origincert option is used for. I renamed a cert.pem to cyberjake.xyz.pem and another to cyberjake.cf.pem and can use cloudflared tunnel --origincert <cert/path> tunnel run just fine.

1 Like

I’m running the 2022.4.1 build of cloudflared and I don’t see --origin-cert listed as a valid option. Here’s the output of cloudflared --help

[email protected]:/home/linuxadmin# cloudflared --help
NAME:
   cloudflared - Cloudflare's command-line tool and agent

USAGE:
   cloudflared [global options] [command] [command options]

VERSION:
   2022.4.1 (built 2022-04-12-1614 UTC)

DESCRIPTION:
   cloudflared connects your machine or user identity to Cloudflare's global network.
     You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
     and configure access control.
   
     See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.

COMMANDS:
   update     Update the agent if a new version exists
   version    Print the version
   proxy-dns  Run a DNS over HTTPS proxy server.
   service    Manages the cloudflared system service
   help, h    Shows a list of commands or help for one command
   Access:
     access, forward  access <subcommand>
   Tunnel:
     tunnel  Use Cloudflare Tunnel to expose private services to the Internet or to Cloudflare connected private users.

GLOBAL OPTIONS:
   --credentials-file value, --cred-file value  Filepath at which to read/write the tunnel credentials [$TUNNEL_CRED_FILE]
   --region value                               Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region. [$TUNNEL_REGION]
   --overwrite-dns, -f                          Overwrites existing DNS records with this hostname (default: false) [$TUNNEL_FORCE_PROVISIONING_DNS]
   --help, -h                                   show help (default: false)
   --version, -v, -V                            Print the version (default: false)

COPYRIGHT:
   (c) 2022 Cloudflare Inc.
   Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
   the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
   Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).

@Cyb3r-Jak3, thanks for pointing this out. I simply assumed it was not possible to point to a cert file based on the output of the --help flag. Didn’t expect the command output to be incomplete.

Yeah, I believe the --origincert flag is only available for the tunnel subcommand.

Awesome, I was able to setup the two tunnels I wanted. Thanks again. If you have the ability to do so, feel free to close this thread.