Can we provide Cloudflared a truststore for certificates ?

Hello everyone,

During initial connection to Cloudflare, I have the following error that I suspect to be a CA missing to the client to ensure its connectivity.
How can I feed it with a CAFolder to trust ? eg:

/usr/local/share/ca-certificates on Linux

/usr/local/share/ca-certificates on Linux

/usr/local/share/ca-certificates on Linux

/usr/local/share/ca-certificates on Linux

Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.

Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.

Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.

Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.

Many thanks

KKilltran Hello everyone, During initial connection to Cloudflare, I have the following e...

Chaika•3/23/24, 9:57 PM

You can provide it a CA Pool for Origin Connections: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#capool

But it sounds like you're saying you have a MITM in the middle of it/the local system is weird? They don't seem to have anything in specific that overrides it: https://github.com/cloudflare/cloudflared/blob/bb29a0e19437c3baa6a6e64f44b5de769206ed18/cmd/cloudflared/tunnel/configuration.go#L189, should just be whatever Go does/how it gets certs

GitHub

cloudflared/cmd/cloudflared/tunnel/configuration.go at bb29a0e19437...

Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.

Cloudflare Docs

Origin configuration · Cloudflare Zero Trust docs

Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for …

KilltranOP•3/27/24, 2:48 PM

Hi @Chaika and thanks for replying :). I hope you're doing fine.
The issue is not with the origin servers, the Cloudflared is actually not even connected yet and the tunnel is not yet established.

Yes I setup a MITM in the middle because I need to replicate a corporate environment for testing where we need to get out the internal network via proxy - MITM is doing the job very good (I have also tried with Apache HTTPd)

I suspect the issue to be with my MITM Proxy isn't trusting the Cloudflare Servers for some reason, setting it in an "insecure" mode where it wouldn't verify the certs gets the connection establish pretty well.

KilltranOP•3/27/24, 2:48 PM

I am still investigating to figure out a proper way to deal with this and may be post something accordingly

Erisa•3/27/24, 8:49 PM

This definitely sounds like an issue with your client and not something specific to Cloudflare setup. The CAs that Cloudflare uses are listed here: https://developers.cloudflare.com/ssl/reference/certificate-authorities/

KilltranOP•3/28/24, 1:11 PM

Many thanks @Erisa | Support Engineer , I'll get those and give it a try to see how that goes.
Do you know by any chance if the native support of proxies is planned someday ?

Can we provide Cloudflared a truststore for certificates ?

Similar Threads

Similar Threads

Similar Threads