SSL and Cloudflare


#1

Hi there.

As I found out, the ssl_error_internal_error_alert - Error I got is jut because I am using Cloudflare between my Server/Web-Sites and Internet.

$ openssl s_client -connect www.bd78.de:443
CONNECTED(00000003)
25774:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:607:

$ openssl s_client -connect bd78.de:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=bd78.de
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
  i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISATbnTZxLyfPhphLL1D2oEOt2MA0GCSqGSIb3DQEBCwUA

From the Outside:

$ host www.eisbaer-blog.de
www.eisbaer-blog.de is an alias for www.eisbaer-blog.de.cdn.cloudflare.net.
www.eisbaer-blog.de.cdn.cloudflare.net has address 104.24.127.88
www.eisbaer-blog.de.cdn.cloudflare.net has address 104.24.126.88
www.eisbaer-blog.de.cdn.cloudflare.net has IPv6 address 2400:cb00:2048:1::6818:7e58
www.eisbaer-blog.de.cdn.cloudflare.net has IPv6 address 2400:cb00:2048:1::6818:7f58

on my server:

$ host eisbaer-blog.de
eisbaer-blog.de has address 92.51.135.16
eisbaer-blog.de has IPv6 address 2a01:488:66:1000:53a9:12a6:0:1
eisbaer-blog.de mail is handled by 10 mail.eisbaer-blog.de.

wird ein Zertifikat ausgeliefert:

$ openssl s_client -connect eisbaer-blog.de:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=bd78.de
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
  i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISATbnTZxLyfPhphLL1D2oEOt2MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTExMDUyMDUzMDBaFw0x

Any ideas how to solve it expect to deactivate Cloudflare?


#2

well cloudflare is essnetially doing MITM, it reads the data and therefore can respond with cached content, good is that they already offer SSL even though the trust is a bit complicated coz CF knows everything.

therefore CF has only 2 options.
a) they get your private key and cert (availabe or higher plans
b) they intercept the connection with an own key and cert and decrypt it for themselves and then they encrypt it to get back to your server.


#3

Cloudflare has several different methods for using SSL. Some are more worse than others, but generally it is not recommend to use Cloudflare for HTTPS. More information and an explanation of Cloudflares modes:
https://scotthelme.co.uk/cloudflares-great-new-features-and-why-i-wont-use-them/ @ScottHelme


#4

If you use manual mode, it will ask you to provision a certain file on your server. You should be able to do that and complete the challenge and issuance process even behind Cloudflare.