Using Cloudflare Origin Certificates on CDN - Intermediate Certificate Missing


#1

I’m attempting to use my Cloudflare Origin Certificate on MaxCDN. I’ve added the key, domain certificate and root certificate but receive NET::ERR_CERT_AUTHORITY_INVALID when testing.

According to this thread the proper structure I need for the CA bundle is:-

----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

However it isn’t clear to me what intermediate certificate I should be using or where I should get it from, or if the origin certificate is appropriate for this use.


#3

Yes, that is the contents of the first link in the above post, and no matter what order that is added it does not work and requests the intermediate certificate.


#5

Browse to cdn.londonpropertymatch.com


#6

In this case it should be sufficient to take the first certificate from that link.


#7

It should be, but that doesn’t work. Nor does adding the root CA because there is no intermediate CA.

It’s not like I haven’t tried vairious permutations.


#8

Looks like it works now, at least in my browser Chrome 70.

It does throw a CERT_AUTHORITY_INVALID error, and that’s because the Origin certificates are not trusted by any browsers. Cloudflare origin certificates are only designed for communication between Cloudflare -> origin, and won’t work if the DNS entry is :grey: (not proxied). For the origin certificate to work, either turn on CF proxy (:orange:) or use a third-party SSL issuer like LetsEncrypt to get a trusted certificate.


#10

Yes - you should be able to see both the certificates in place and the order in your browser (in chrome click the NET::ERR_CERT_AUTHORITY_INVALID error message)


#11

Thanks - not appropriate for this use then. Pity.