Setting Up NGINX Cloudflare

Website, Application, Performance Getting Started
1

What is the name of the domain?

jordanpicton.xyz

Brief:

I’ve been trying to install and setup NGINX and Cloudflare using these guides:

Though when trying to connect to the website I’m having no luck, like listed below I’ve tried adding the SSL Certificates and it looked like I was getting somewhere but then I realised Cloudflare wasn’t enabled and no it wasn’t working before re-enabling it.

I don’t have any other settings enabled when it comes to the SSL settings under edge certificates.

I’m just at a loss as what to try at the moment as I can access the default website via the external IP and Internal IP, just not the domain name?

On the last guide I noticed in the comments that I was using the wrong Cloudflare cert to use with client signing but even after updating this to the one from this page (I’m using RSA) it still doesn’t work properly.

I’ve also heard that I should try using Lets Encrypt? Though how would I even go about doing this with Cloudflare and NGINX, or should I even be thinking of that right now?

What is the error message?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH (With Cloudflare)
net::ERR_CERT_AUTHORITY_INVALID (Without Cloudflare)

What is the issue you’re encountering

Can’t access website from domain

What steps have you taken to resolve the issue?

  • Ensured ports are open via host machine
  • Port forwarded
  • Changed all internal machine ports using the same port
  • Added Origin certs
  • Added PiHole Exclusions
2

First install an SSL certificate on your origin, then set the Cloudflare SSL/TLS mode to "Full (strict) here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

Also, Cloudflare doesn’t seem to have an edge SSL certificate set up for your domain. Check that Universal SSL is enabled at the bottom of the page here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

If it is enabled, try disabling it, wait 2 minutes, then enable it again.

https://cf-staging.sjr.dev/tools/check?d35cd21062f8491d95e3388c8265c20c#connection-server-https

3

I did not have Universal SSL enabled, I’ll give this a go. :slight_smile:

4

Should I be using an edge certificate instead of an origin certificate? Because right now I’ve only got the origin one being used.

5

If using the Cloudflare proxy, you need an edge certificate so clients connecting to Cloudflare use SSL.

You also need an SSL certificate on your origin so the connection between Cloudflare and your origin is also secured with SSL (SSL/TLS mode “Full (strict)”). Not using SSL between Cloudflare and your origin (“Flexible” mode) is insecure.

You don’t specifically need to use a Cloudflare origin certificate on your origin, you can use LetsEncrypt or another trusted CA. A Cloudflare origin certificate can be valid for up to 15 years, but requires use of the Cloudflare proxy - attempting to use it directly will throw a warning in your browser as it is only trusted by Cloudflare, not browsers.

6

I enabled the option you gave me and I’ve seen somewhere on the forums that you mention to use the certificate from here Zone-level authenticated origin pulls · Cloudflare SSL/TLS docs.

Should I be using this one for the origin over this one?

Also thanks for helping me, I’m getting an NGINX 400 SSL cert error now.

Yeap this was my last problem to fix this, thank you so much @sjr for the help. :slight_smile:

~Blood

7

Use the Origin CA certificates, Authenticated Origin Pull is another feature. Get your origin SSL working first.

8

The link above solved my issue as I was using the wrong verification key, I’m using RSA whilst the verification key was using ECC or EEC.

So jordanpicton.xyz works fine for me now. Though I’ve tried applying all this knowledge to a different server block and I’ve still got the same problem as when I first started this post. But I’ve made all the same changes that I made to jordanpicton.xyz.

9

When setting up the server blocks is it that one configuration looks like this:

# Server configuration
server {
        listen 80;
        listen [::]:80;
        server_name mywebsite.com www.mywebsite.com;
        return 302 https://$server_name$request_uri;
}

server {

        # SSL Config
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl_certificate         /etc/ssl/mywebsite-cert.pem;
        ssl_certificate_key     /etc/ssl/mywebsite-key.pem;
        ssl_client_certificate /etc/ssl/cloudflare.pem;
        ssl_verify_client on;

        server_name mywebsite.com www.mywebsite.com;

        root /var/www/mywebsitecom;
        index index.html index.htm index.nginx-debian.html;

        location / {
                try_files $uri $uri/ =404;
        }

}

Whilst using that same configuration doesn’t work for my second server block but the below one does?

# Server configuration
server {
        listen 80;
        listen [::]:80;
        server_name mywesbite2.com www.mywesbite2.com;
        return 302 https://$server_name$request_uri;
}

server {

        # SSL Config
        listen 443;
        listen [::]:443;
        ssl_certificate         /etc/ssl/mywesbite2com-cert.pem;
        ssl_certificate_key     /etc/ssl/mywesbite2com-key.pem;
        ssl_client_certificate /etc/ssl/cloudflare.pem;
        ssl_verify_client on;

        server_name mywesbite2.com www.mywesbite2.com;

        root /var/www/mywesbite2com;
        index index.html index.htm index.nginx-debian.html;

        location / {
                try_files $uri $uri/ =404;
        }

}

The difference between them being the listen 443 SSL http2. Why is it that this works and the first one doesn’t?

Thanks in advance,
~Blood

(I figured it out, I needed to make them all the same and remove or update the Default server block to have the same settings and the others. I also then needed to go into Cloudflare and actually have the DNS pointing towards the host machine compared to a different source.)

10

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.