Setting up Apache to use TLS Authenticated Origin Pulls

I have a VPN server with about 70 websites and all are using Cloudflare.
I asked Cpanel support to implement Origin Pulls and it did not work.

These were the errors seen.

[Thu Dec 19 12:57:00.960535 2019] [ssl:warn] [pid 30166] AH01909: asubdomainnameonmyserver.com:443:0 server certificate does NOT include an ID which matches the server name.

It appears that there will need to be an SSL certificate from Cloudflare. Also, there may be a setting at Cloudflare that needs to be enabled for origin pulls. Please contact CloudFlare and request information on how they recommend setting this up on a cPanel server as this is a shared hosting environment.

Please help

That doesnt seem to be about Origin Pulls (or better, SSL client authentication) but rather an issue with the actual certificate of your own site. Can you clarify that?

Configuring the certificate for Origin Pulls is covered at https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls#section5

However I am wondering if your host didnt confuse that, as I’d usually expect hosts not to be that easily agreeing on enabling client authentication.

My host is Hostmonster, however I asked the Cpanel support to implement it and they could not due to the error above. They asked me to go back to cloudflare and ask if all ssl certificates should be from cloudflare.
I should take this to Hostmonster support.

Contacting your host would be a good idea. I am not exactly familiar with that particular error message, however it doesnt seem to be related to client authentication but the server certificate. Also, shared hosts typically do not enable client authentication.

One more thing. Do u know if there is a risk on enable it?
is performance going down? the question is what is the trade off?

On Cloudflare’s side or your server’s?

Not really.

To what? It simply makes sure requests have to come from a client which has the matching private key of the certificate.

This topic was automatically closed after 30 days. New replies are no longer allowed.