SSL Certificate Locally

azak · November 11, 2022, 2:27pm

Hello All,

I have a local web server configured on Windows Server IIS and I’m passing all traffic to such using Cloudflare WAF. I’m facing a problem with the SSL Certificate, where locally on the Server itself, it shows the SSL Certificate and the website is secure. Whereas when accessing such website locally on the network, for instance, users PC. it shows that the website is unsecure and that there is no SSL certificate.

What could be the problem?

Thanks in advance!

sandro · November 11, 2022, 2:33pm

Locally you will simply connect directly and not via the proxies.

Which certificate did you configure on your server?
What’s your encryption mode on Cloudflare?
Which domain is it?

azak · November 11, 2022, 2:44pm

Origin Certificate was installed on the server
I generated an RSA 2048 Certificate

Yes we’re accessing the website locally, but the problem is that it’s not taking the SSL Certificate locally, only on the server itself, but not on the network
Thanks!

sandro · November 11, 2022, 2:45pm

Of course, for aforementioned reason. You will need to tweak your local DNS configuration.

But as far as Cloudflare is concerned, if your encryption mode is Full Strict, you have a secure configuration.

epic.network · November 11, 2022, 2:50pm

If you are referring to a Cloudflare Origin CA certificate, those are not recognized as valid by web browsers nor are they meant to be. They are intended to be validated only by the Cloudflare proxy. If you will be permitting direct connections from internal clients, you will need to use a certificate issued by a trusted public CA.

sandro · November 11, 2022, 2:52pm

So make sure you are on Full Strict and your connection goes via the proxies and there won’t be any warning.

sandro · November 11, 2022, 2:54pm

And no, it doesn’t tell you there is no certificate, it tells you there’s an untrusted certificate, which Origin certificates are and which you experience because of mentioned DNS issue. Again, proxies.

azak · November 11, 2022, 3:00pm

yeah exactly, that is the thing that was shown. You mean by DNS, I have to proxy internal users when accessing the website locally to use the Cloudflare online? is there any other way to fix it locally?

azak · November 11, 2022, 3:02pm

so you mean for local SSL, I shouldn;t use Cloudflare SSL or I can keep it showing the error, since it’s still secure but showing not being trusted

sandro · November 11, 2022, 3:02pm

No, as I wrote in the first response, you are not using the public address locally but the local one and that’s why you connect to your server instead of the proxies. You need to make sure you use the proper DNS entries, hence the tweaks I referred to.

sandro · November 11, 2022, 3:03pm

Alternatively you can simply add the following root certificate to your trust store.

epic.network · November 11, 2022, 3:15pm

There are effectively three possibilities:

Keep the origin certificate using the first method proposed by @sandro which is to route your internal traffic through the public IP. You would need to update your internal DNS to accommodate that.
Add the Cloudflare Origin CA root certificate to the trusted store of your internal devices and continue connecting directly.
Use a certificate from a trusted public CA. This could be a commercial certificate or Let’s Encrypt.

sandro · November 11, 2022, 3:19pm

I would drop the DNS tampering and simply connect via the proxies, that will fix your entire issue. Otherwise you will either have to trust that certificate or use a publicly trusted one, but at this point this really is all a bit outside the scope of the forum I am afraid.

azak · November 11, 2022, 8:14pm

so you mean it’s better to add a DNS that points the domain to the IP on the Cloudflare, and by that the certificate will be trusted, but does this slow the process? since the request will be online instead of being locally?. or even if I leave it as is, it will stay secure, since the SSL is already there, but it’s giving untrusted since it’s not being proxied by Cloudflare, right?

sandro · November 11, 2022, 8:18pm

No, DNS already points to Cloudflare anyhow, you are simply overriding this locally and run into this issue. You can certainly do that, but then you can either not use an Origin certificate or need to trust Origin certificates. Which option you choose is up to you, I would avoid tampering with DNS.

Point is, it is difficult to use Origin certificates outside of a Cloudflare context and Let’s Encrypt will be better here.

azak · November 11, 2022, 8:18pm

thanks!
but the 1st point will make the request from being locally to passing through Cloudflare online, which will make things slower right?
2nd point, I will have to install the certificate on each of the PCs found on the internal network right?
for 3rd point, this is just used locally right?
which is more secured?
Thanks!

azak · November 11, 2022, 8:19pm

this should be added on the server itself? or on each PC accessing the web server?

sandro · November 11, 2022, 8:19pm

Once more, this is up to you. I would not tamper with DNS, but if you do you need to take certificates into account, it really is what I just wrote.

azak · November 11, 2022, 8:20pm

oh I was checking and I’ve done so on the IIS. on the IIS the SSL is working just fine, but when accessing from other PCs on the network, it gives untrusted

sandro · November 11, 2022, 8:21pm

Of course, for aforementioned reason. You are probably best switching over to Let’s Encrypt certificates.