CODEWITHSUNDEEP
sslnginxhttpscloudflare
bozzmob
bozzmob

Reputation: 12574

Cloudflare SSL cert throws a Security Issue

I have configured my nginx to use the certificate and private_key that I downloaded from cloudflare crypto.

This is my nginx.conf file-

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name autocaptions.app *.autocaptions.app;

        location / {
                proxy_pass http://127.0.0.1:7887;
        }
        ssl on;
        ssl_certificate /home/ubuntu/sslcerts/autocaptions.pem;
        ssl_certificate_key /home/ubuntu/sslcerts/private-key.pem;
        # ssl_client_certificate /home/ubuntu/sslcerts/cloudflare.crt;
        # ssl_verify_client on;
}


# Redirect http to https
server {
        listen 80;
        listen [::]:80;
        return 301 https://$host$request_uri;
}

I am not sure what the issue is. I have added the certificate and the private_key.

I see the following error in the browser when I try to access https://autocaptions.app -

Browser Error

Error in text-

autocaptions.app has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

In Cloudflare configuration, I have disabled HSTS, not sure why this error is showing up.

I have followed digitalocean tutorial to configure SSL.

Upvotes: 0

Views: 1926

Answers (3)

FaizAzhar
FaizAzhar

Reputation: 459

TL;DR @SteffenUllrich is absolutely correct and should be the accepted answer.

This is your current setup. You are gray-clouding the DNS record, essentially exposing your origin server's IP address to the whole world. The first problem here is that, it is similar to posting your home's address on Twitter/Facebook, saying the front door is unlocked so feel free to come in and take what you want!

                                              Cloudflare Origin CA Certificate
                                                         |
client <---------------------HTTPS-----------------> your origin (AWS)

The second problem here is that CloudFlare Origin CA Certificate is not meant to be used for client-server connection. It's purpose is to encrypt connection between Cloudflare edge and your origin only. You can think of it as a self-signed certificate. This is the reason for the error you're seeing.

One very simple solution is to replace this origin certificate with other free or paid SSL certificate such as Let's Encrypt/Certbot. If you decide to go this way, you can then skip the rest of below explanation if you want.

If you wish to keep using Cloudflare Origin CA Certificate however, keep on reading.

The next step is to proxy your connection to Cloudflare by orange-clouding the DNS record. Connection between client and Cloudflare edge will be encrypted using Cloudflare's free (shared) Universal SSL Certificate. It will partially solve the problem, but only half of the client-server connection is encrypted, because you are using Flexible mode. Connection between Cloudflare edge and your origin will not be encrypted.

                 Universal SSL Certificate
                            |
client <---HTTPS---> Cloudflare edge <----HTTP----> your origin (AWS)

The final step if to change the SSL mode from Flexible to Full or Full (Strict). Now you will get end-to-end encryption.

                 Universal SSL Certificate       Cloudflare Origin CA Certificate
                            |                           |
client <---HTTPS---> Cloudflare edge <----HTTPS----> your origin (AWS)

Any questions?

Upvotes: 2

Steffen Ullrich
Steffen Ullrich

Reputation: 123260

You are using a certificate signed by the "Cloudflare Origin CA". Certificates issued by this CA are intended to be installed on your origin server so that the communication between the Cloudflare CDN and your origin server can be protected by a certificate.

These kind of certificates are not intended on systems facing end users (i.e. browsers). They are only intended to secure the communication between your origin server and Cloudflare. Typical end users will not have the "Cloudflare Origin CA" as a trusted CA in their browser and thus they will get a TLS error when connecting to your origin server - and this is thus what you get. But typical end users should not connect to the origin server in the first place - they should connect to the Cloudflare instance instead. Only Cloudflare itself should connect to the origin server and they will acknowledge their own CA as trusted.

Upvotes: 2

nitnjain
nitnjain

Reputation: 611

Check your site's SSL Setting under Crypto tab. Change it to 'Full' or 'Flexible' if its on 'Full (Strict)'.

Upvotes: 2

Related Questions