Zero trust proxy shows secure connection errors even with CA certificate installed

Related to

WARP

What is the issue you’re encountering

I am trying to setup cloudflare zero trust for both DNS and HTTP filtering on android and windows devices. DNS is working fine, but I am having issues with HTTP filtering. When I enable Proxy and TLS decryption in network settings, various browsers start giving “Secure Connection Failed” warnings even though I have the CA certificates installed on those devices. My end goal for example is doing something along the lines of blocking all of the reddit website, excluding a few allowlisted subreddits

Hi Entrained,
“Secure Connection Failed” warnings typically happens when the CA certificate is not properly trusted by the browser or system, or if the Proxy settings are causing issues with HTTPS traffic.

This could be because of improper installation or trust of the Cloudflare CA certificate on the devices, especially on browsers that may not fully trust the certificate; Browser-specific trust issues, where browsers may require specific manual configuration to trust locally installed CA certificates; Proxy configuration issues in the Cloudflare Zero Trust dashboard, such as incorrect handling of encrypted traffic or SSL/TLS handshake problems.

I would first suggest ensuring that the Cloudflare CA certificate is correctly installed and trusted on both the system and browsers. On Android, you can check under Trusted Credentials and on Windows, check Trusted Root Certification Authorities store. If you’re using Firefox, go to Settings > Privacy & Security > Certificates and ensure it’s set to use the OS certificate store if you want it to use the system’s certificate.

You can check as well that your HTTP Proxy settings are correctly configured. Keep in mind that you need to ensure that both HTTP and HTTPS traffic is routed through Cloudflare, and TLS decryption is properly enabled to intercept the encrypted traffic.

Double-check that TLS decryption is enabled under Network Settings in your Zero Trust dashboard. If this setting is misconfigured, browsers may block connections due to failed handshakes.

Make sure to update the HTTP filtering policies to allow the desired subreddits while blocking the rest of the Reddit. To do this you can create a Custom HTTP policy in Cloudflare’s Zero Trust dashboard, using a combination of Allow and Block rules.

If the above steps don’t resolve the issue, some browsers may still require manual certificate installation. Chrome and Edge use the system’s certificate store by default, so ensure the CA certificate is installed at the system level. For Firefox you have to manually import the CA certificate if it doesn’t trust the system store.

After all of this make sure to clear the DNS cache on both Android and Windows devices. Also, clear the browser cache to ensure old certificate or proxy settings aren’t being reused.

I hope this solved the issue!