Tunnel keeps giving Bad Gateway when using TLS Verification

I’ve come across numerous posts about this issue, but despite extensive trial and error, I just cant get it to work. Here’s some context:

  • My Cloudflare tunnel is active and running.
  • I’m using my domain, spiqdev.com, which is registered with Cloudflare.
  • I’ve set up two public hostnames initially, one for the API (api.spiqdev.com) and one for my identity backend (login.spiqdev.com).
  • These hostnames point to the services at https://localhost:5000 and https://localhost:5001.
  • My localhost uses a valid self-signed certificate from IIS Express Development.

When I run my projects on these ports and try to access them through my tunnel URL, I initially received a ‘Bad Gateway’ message. After enabling ‘No TLS Verify’ for both, everything worked fine. However, my Identity project requires TLS verification to function properly.

I’ve tried several things to get my tunnels working with TLS verification enabled, but unfortunately, none have been successful:

  • I’ve set the origin server name to spiqdev.com, and also tried login.spiqdev.com and *.spiqdev.com.
  • I’ve added my localhost certificate to my Trusted Root Certification Authority in my Computer Certificates.
  • I’ve created an ‘Origin CA certificate’ following this guide: [Origin CA certificates · Cloudflare SSL/TLS docs] and pointed the ‘Certificate Authority Pool’ to it like this: C:\certificates\spiqdevcertificate.crt.
  • I’ve exported my spiqdev.com certificate directly and installed it in my Trusted Root certificate store.
  • I’ve tried running both applications on HTTP and also changed my tunnels so the services are pointed to http://localhost instead of https.

Probably there’s an obvious solution that I’m missing. Any tips or pointers would be greatly appreciated.

You go into the hostname, Additional application settings, TLS, and click on No TLS Verify. This disables hostname checking between your server and cloudflare, not encryption.

Other than that setup a port 80 host and get yourself a let’s encrypt certificate for free, AFAIK you can’t use self signed certs.