Problems with SSL certificates and Firewalls

I am managing some DNS records on CloudFlare and I have some deployments on DigitalOcean.

The first issue I have is the SSL certificates for my deployments. I generated a CA Certificate with CloudFlare dashboard, I imported it on DigitalOcean (Bring my certificate) and then I reference its ID in my deployments. The browser gets the https but with a warning and when curling I get the following message:
curl -X GET “https://api.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

So how can I import a proper SSL certificate to DigitalOcean?

The second issue I’m getting is with a firewall here on CloudFlare. I setup some rules and they work perfectly when hitting the hostname “kibana.mydomain.com”, but not the IP behind the hostname. Though I couldn’t see in the Firewall rules how to add such IP, nor in the Firewall documentation. Am I missing something? How do I ensure that such resource (hostname or its IP) are allowed/block by some rules?

Thanks

You may need to add the root certificate as well, though I’m surprised a browser would show that error if it’s hitting the URL through a Cloudflare proxy.

Cloudflare Firewall only protects the hostname, as proxied by Cloudflare. If someone bypasses the proxy and goes directly to your server’s IP address, you’d have to find a way to block such access, such as a server firewall to only allow cloudflare.com/ips through.

1 Like

I’ve read the documentation and I understand why I should add it. Though I can’t understand where or how I can use it in DigitalOcean. When selecting “Bring my own certificate” the only fields I can see there are:

  • Name (mandatory)
  • Certificate (mandatory)
  • Private Key (mandatory)
  • Certificate Chain (optional)

Where would the Root certificate go?

I believe this should be included in Certificate Chain.

1 Like

I created a new certificate, copy pasted the “root” in the Chain and once again my browser says: “Warning: Potential Security Risk Ahead”

:frowning:

@erictung by “included” I guess you don’t just mean copy paste. Should I put also the “Certificate” and “Private Key” in the Chain? If yes, in which order with Root?

You don’t need to include your private key into it - and never do it.

Usually in the certificate chain, your website public key (certificate) is in the first order, then if you have intermediate certificates, place it after your website certificate. Lastly, place the root certificate in the last order.

Hi Eric,

I am not sure is we are supposed to contact community members directly, but could you look at the below issue.

Generally you don’t need to include the actual root. The user agents (browsers) will already have a copy of the root, and including it just increases the size of the data sent to the client during handshake.

1 Like

The Cloudflare CA root?

Will it work perfectly?

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.