I have a local web server configured on Windows Server IIS and I’m passing all traffic to such using Cloudflare WAF. I’m facing a problem with the SSL Certificate, where locally on the Server itself, it shows the SSL Certificate and the website is secure. Whereas when accessing such website locally on the network, for instance, users PC. it shows that the website is unsecure and that there is no SSL certificate.
If you are referring to a Cloudflare Origin CA certificate, those are not recognized as valid by web browsers nor are they meant to be. They are intended to be validated only by the Cloudflare proxy. If you will be permitting direct connections from internal clients, you will need to use a certificate issued by a trusted public CA.
And no, it doesn’t tell you there is no certificate, it tells you there’s an untrusted certificate, which Origin certificates are and which you experience because of mentioned DNS issue. Again, proxies.
yeah exactly, that is the thing that was shown. You mean by DNS, I have to proxy internal users when accessing the website locally to use the Cloudflare online? is there any other way to fix it locally?
No, as I wrote in the first response, you are not using the public address locally but the local one and that’s why you connect to your server instead of the proxies. You need to make sure you use the proper DNS entries, hence the tweaks I referred to.
I would drop the DNS tampering and simply connect via the proxies, that will fix your entire issue. Otherwise you will either have to trust that certificate or use a publicly trusted one, but at this point this really is all a bit outside the scope of the forum I am afraid.
so you mean it’s better to add a DNS that points the domain to the IP on the Cloudflare, and by that the certificate will be trusted, but does this slow the process? since the request will be online instead of being locally?. or even if I leave it as is, it will stay secure, since the SSL is already there, but it’s giving untrusted since it’s not being proxied by Cloudflare, right?
No, DNS already points to Cloudflare anyhow, you are simply overriding this locally and run into this issue. You can certainly do that, but then you can either not use an Origin certificate or need to trust Origin certificates. Which option you choose is up to you, I would avoid tampering with DNS.
Point is, it is difficult to use Origin certificates outside of a Cloudflare context and Let’s Encrypt will be better here.
but the 1st point will make the request from being locally to passing through Cloudflare online, which will make things slower right?
2nd point, I will have to install the certificate on each of the PCs found on the internal network right?
for 3rd point, this is just used locally right?
which is more secured?