SSL/TLS, Origin Certificates and 502 Bad Gateway

Hi,

I’m trying to setup Full(strict) or at least Full encryption mode on a cpanel hosting account proxied through cloudflare on a free plan.

Initially I tried setting up using a letsencrypt certificate which obviously did not work as by reading some other forum posts I understand letsencrypt certificates are not accepted for Full(strict) encryption mode on free plans.

Now I’m trying to do the same thing using a Cloudflare origin certificate. I took these steps until now:

  1. generated the certificate on cloudflare;
  2. added the cloudflare generated private key and certificate in cpanel as for any regular certificate;
  3. installed the certificate for the specified domains. the certificate includes the main domain and the wildcard " *.domain.com");
  4. also added the cloudflare CA bundle certificate when installing the certificate.

So to my eyes I took all of the required steps.

Now if I choose the Full or Full(strict) encryption modes for this domain in cloudflare I get a 502 Bad Gateway error.

If however I select the Flexible encryption mode the website loads just fine. Also if I select Off obviously the site loads fine except there’s no secure connection but I can see that the cloudflare certificate was installed properly.

Also using a letsencrypt certificate installed on the server if I turn off proxying through cloudflare the website works as expected.

What am I missing? Anybody else faced this issue and found a solution?

Thank you

May I ask have you tried checking with the steps from below article?

Therefore, have you checked your access or error log at your origin host/server for any clue?

Is your app working over a supported and compatible port with Cloudflare proxy mode :orange:?:

If you installed correctly the Cloudflare Origin CA Certificate at cPanel, you have got the green lock and saying it expires in 15 years (or shorther if you selected), correct?

May I ask if you have got some firewall installed at cPanel, like Imunify360 od ModSecurity enabled?

Nevertheless, do not skip below step and kindly re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article:

Cloudflare IP addresses list can be found here:

Hi,

When not proxied the certificate is not trusted by the browser. (issued by cloudflare)

When proxied the certificate is trusted, it says issued by Letsencrypt, but I get the 502 error, Bad gateway, Please try again in a few minutes.

True, the hostname should be proxied :orange: and set to Full (Strict) SSL when using CA Origin cert.
That way you will not end up having this error showing up in a Web browser.

Even using Full (Strict) SSL?

Have you got some redirection like from HTTP to HTTPS including non-www to www in .htaccess file (Apache)?

If I could just add a note, I have got 2 domains using Cloudflare Origin CA Certificate on cPanel, Full (Strict), Apache - working fine.

May I ask what is your domain name?

No, no redirects. I only have a simple php file in the public folder just to test things out. So i’m keeping things as simple as possible so that it’s easier to debug.

when the hostname is proxied and set to Full (Strict) ssl and using the CA origin cert, I get the 502 error and it says that the certificate is valid and it’s details are:

Common Name (CN) R3
Organization (O) Let’s Encrypt
Organizational Unit (OU)
Issued On Thursday, January 6, 2022 at 6:26:23 AM
Expires On Wednesday, April 6, 2022 at 7:26:22 AM

But obviously the page is not loading.

I also worked with the hosting provider to solve the issue but they say there’s no issue with the certificate installation (and I can confirm that by setting encryption to Off) and that on their side there is nothing blocking cloudflare IP’s, which I have to agree with since it works if I set the encryption to Flexible and keep the hostname proxied.

I checked all of the other potential issues from the tutorial you provided. There are plenty of resources available and the ip’s are not blocked.

It’s interesting that I have a second domain hosted with the same provider and using a cPanel, Inc. issued certificate which works fine with Full (strict) encryption. So apparently there’s some issue with the cloudflare issued certificate, as if cloudflare does not trust it’s own certificate.

By the way, thank you for taking the time to reply.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.