"TLS protocol error" when running a Health Check

Website, Application, Performance Security
1

I’ve set up “Full (strict)” TLS between my origin server and Cloudflare.

I’ve then set up a Health Check to do a HTTPS GET using the origin server’s IP address, and manually setting the Host header to the right hostname. (As far as I understand, I can’t use the DNS hostname, as that won’t point to the origin server.)

I found this article https://developers.cloudflare.com/health-checks/health-checks-analytics/#tls-protocol-error with the following details:

Cause

This error can occur if you are using an older version of TLS or your origin server is not configured for HTTPS.

Solution

Ensure that your origin server supports TLS 1.2 or greater and is configured for HTTPS.

I have confirmed that the server is set to use TLS1.2, but I’m not sure why it’s returning “TLS protocol error

3

Welcome to the Cloudflare Community. :logodrop:

Have you disabled protocols lower than TLS 1.2?

You can always set the hostname to :grey: DNS Only while you test your origin server.

1 Like
4

Yes, we have.

5

Hi @sam_oz

This is what I see when I cUrl to your domain

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

} [5 bytes data]

GET / HTTP/1.1

Host: xxxxxxx

Accept: /

User-Agent: xxxxxxx

Accept-Encoding: gzip

{ [5 bytes data]

  • TLSv1.3 (IN), TLS alert, unknown (628):

{ [2 bytes data]

  • error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0

  • Closing connection 0

curl: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0

error: exit status 56

1 Like
6

To confirm what you’re saying with that output, does it mean the certificate used for TLS connections is not signed by a trusted CA?

I get the following:

curl -v -s --tlsv1.1 https://xxx.xxx.xxx.xxx/

  • Trying …
  • TCP_NODELAY set
  • Connected to xxx port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Request CERT (13):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0

We are using the origin certificate supplied by Cloudflare, but it’s not signed by anything.

7

Ah, I’ve worked on it a bit more.

The line “tlsv13 alert certificate required” is indicating that the client certificate that Cloudflare uses to keep the “Full (strict)” TLS set up is not present.

It appears that I cannot use the “Full (strict)” mode and use a Health Check from Cloudflare?

8

No client certificate is required for Full (Strict). A server certificate issued by a publicly trusted CA or the Cloudflare Origin CA is the requirement.

It is signed by the Cloudflare Origin CA. Save the Cloudflare Origin CA root certificate locally and use curl with the--cacert option pointed to that file and it should clear that notice.

1 Like
9

It has been a while since I set all this up. It’s not the “Full (Strict)” that requires the client certificate, it’s the “Authenticated Origin Pulls”

I hope I’m understanding this correctly, as that does require a client cert, that Cloudflare uses when it’s hitting the origin server.

I could still be looking in the wrong places, but I’m still not sure that the server is mis-configured to TLS, but obviously I’ve got something wrong as the Health Check is reporting the TS Protocol Error

10

OK, I’ve removed the requirement for a client certificate, essentially disabling the “Authenticated Origin Pulls” and the Health Check now works.

The next question is, can I set up a Health Check that works while “Authenticated Origin Pulls” is turned on?

11

Apparently there is a “Simulate Zone” option, but I can’t see it anywhere on the Health Check page, maybe it’s only available to higher level plans?

12

Was your origin server configured to only permit authenticated origin pulls or was only the Cloudflare side ever configured?

13

Yes, it was configured for authenticated origin pulls.

Once I removed the config on the server, the Health Check worked. I’ve since turned it back on.

Apparently Health Checks can still work, but there is a “Simulate Zone” setting I need to configure on the Cloudflare side which I can’t see.

1 Like
14

Are you performing Standalone Health Checks or health checks related to load balancing? I only see mention of “Simulate Zone” in the documentation for the load balancer checks.

Have you opened a support request yet?

15

It’s a standalone Health Check.

I did start a support ticket, but the initial response was to check KBA and the community etc.

I’ll follow up on the support ticket at this stage.

16

If you share the ticket number here we can get it connected with the work you have done in this topic.

1 Like
17

Thanks.

The case number is 2866669

Regards,

Sam

| epic.network MVP '23
July 21 |

  • | - |

If you share the ticket number here we can get it connected with the work you have done in this topic.

2 Likes
18

Thanks for sharing the ticket number.

I escalated this post for the attention of the Customer Support Team so they can get back to you here. I shared your ticket number here so that they can track it.

20

If you could please see the ticket. I have requested some info and testing to be done within the ticket. Thank you for your patience. We appreciate it.

1 Like
21

Just in case anyone else finds this post, I raised a support ticket and the result was:

Health Checks (not linked to load balancing) do not support Authenticated Origin Pulls at this stage. They are working on this, but no ETA.

1 Like
22

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.