SSL 526 Error, Origin CA Cert

Pulling my hair out! LOL. Moved from one domain to another. Just updated Apache, using the (new / matching) Origin CA Cert. But getting a 526 error. Tried all the debugging steps, no joy. Here is my config in Apache2,

        <VirtualHost *:443>
                ServerName xxxxx.com
                Include sites-available/librenms.conf
                SSLVerifyClient require
                SSLVerifyDepth 1
                SSLCACertificateFile /etc/apache2/keys/origin-pull-ca.pem
        </VirtualHost>

And no errors in the Apache2 log. Cloudflare is set for Full (Strict), but even Full fails.

Thoughts? Thanks!

Are you just trying to add an SSL certificate for your new domain? Or are you trying to set up origin pull (as that’s the configuration you have used)?

This is a config where I have both…

	SSLVerifyClient require
	SSLVerifyDepth 1
	#SSLCACertificateFile /usr/share/example/certs/cf_authenticated_origin_pull_ca.pem
	SSLCACertificateFile /usr/share/example/certs/cf_example_authenticated_origin_pull__ca-crt.pem

	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

Just trying to set up origin pull => all traffic proxied. Seems what I have should work?

Thanks!

If you are using authenticated origin pull, then you still need the usual SSL certificate on the origin as well. See my example.

So still needing these items? That may be my error . Can I generate those on Cloudflare, or Linux (self-signed somehow)?

Thanks!

You can use a self signed certificate - your Cloudflare SSL/TLS settings need to be “Full”, not “Full (strict)”. But best to use Full (strict) with a proper certificate.

You can get that from anywhere (such as LetsEncrypt) or get one from Cloudflare, but that only works for Cloudflare to origin connections.

Sorry - I know this is me, but …

From the Origin Server, I get two outputs … cert (pem), and private key. But it seems like I need 3 different files? Or just me?

Thanks!

Two files, the cert and the key is correct.

LOL - OK that’s where I get confused. You show 3 files in your example. Or is SSLCACertificateFile not needed?

The SSLCACertificateFile is the origin pull certificate.

I think you are confusing the certificate needed to encrypt to your origin (the self-signed one you just made), and the origin pull certificate which ensures only Cloudflare can connect to your origin. If you don’t know the difference, delete this stuff and just use the two files from your self signed certificate…

                SSLVerifyClient require
                SSLVerifyDepth 1
                SSLCACertificateFile /etc/apache2/keys/origin-pull-ca.pem

Agreed! But - that’s back to where I started, LOL! I only want traffic through Cloudflare (proxied), not direct. But the link between Cloudflare and my origin server is what seems to be broken, even using the origin-pull-ca. Unless I’m grabbing the wrong file, which is possible. Getting it from here. Thinking I have the wrong file.

Thanks! And sorry for the spinning around - it’s 100% me

OK, making some progress … LOL. It does seem that all 3 lines are needed, even to go through Cloudflare (proxy). Odd, as that wasn’t the case on the old domain, but on the new one I need it - even though the settings appear to be identical. Odd.

That all said, I have 2 sites - set up the same. One directly serves pages, the other proxies (actually, ProxyPass) to an http server on my local LAN. That one fails, with the error,

AH02039: Certificate Verification: Error (20): unable to get local issuer certificate

Does it make any sense that ProxyPass may cause this?

Thanks!

Found it! . I had disabled SSLVerifyClient require on one site, not the other - by accident. This was always enabled before, but now causes things to fail? Will dig more, but any pointers would be appreciated.

Thanks again!