Configure NGINX + CloudFlare + SSL

15
votes

SO...

I have a node application running on a server on port 8080 and I am trying to enabled it to work over SSL using NGINX and CloudFlare. Note the following...

  1. My host is running Ubuntu 16.04 LTS
  2. I am currently using CloudFlare's Universal SSL (free tier)
  3. I have my test host DNS setup as test.company.com
  4. I have copied the CloudFlare origin pull cert from this post to my test box's /etc/nginx/certs

...my previous NGINX configuration looked like...

server {
    listen 80;

    location / {
        proxy_pass http://localhost:8080;
    }
}

...it now looks like...

# HTTP
server {
  listen 80;
  listen [::]:80 default_server ipv6only=on;
  return 301 https://$host$request_uri;
}

# HTTPS
server {
  listen 443;
  server_name test.company.com;

  ssl on;
  ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
  ssl_verify_client on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8080/;
    proxy_ssl_session_reuse off;
    proxy_set_header Host $http_host;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
  }
}

...I followed the example here and the link it provides here and I'm skeptical that everything above is required (I'm a minimalist). Whenever I run sudo nginx -t I still get errors around ssl_certificate and ssl_certificate_key not being specified. I cannot figure out how to download the require files from CloudFlare and from what I understand, I don't believe I should need to.

If I try to re-use the CloudFlare origin pull cert as both the ssl_certificate and ssl_certificate_key, I get the error nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/cloudflare.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

I am confident that it is possible to create my own self-signed certificate, but I am planning on using this strategy eventually to spin up production machines. Any help on pointing me in the right direction is much appreciated.

1
sslnginxhttpsubuntu-16.04cloudflare
Using my own generated pem and key, it works. Using the files generated by CloudFlare, I have the same issue. Did you find what was wrong ?Clément Duveau
@ClémentDuveau It has been a while since I was looking into this, but I think when you first create a CloudFlare distribution (or whatever it is called), the ssl_certificate_key is provided at that time, once... and that needs to be used with the certificate you can download from CloudFlare at any time. At the time I wrote this, I think I simply didn't have access to the original key file. I hope that helps, but again, I really am not sure.Lane

1 Answers

9
votes

It looks like you're using Cloudflare's Origin CA service, nice!

The issue looks like you've put your SSL private key in the ssl_client_certificate attribute and not put your real SSL certificate in your configuration. Your Nginx SSL configuration should contain the following lines instead:

ssl_certificate /path/to/your_certificate.pem; ssl_certificate_key /path/to/your_key.key;

Make sure SSL Certificate corresponds to the .PEM file with the correct contents, and the Certificate Key file contains the .KEY file with the correct contents too.

To generate a certificate with Origin CA, navigate to the Crypto section of the Cloudfalre dashboard. From there, click the Create Certificate button in the Origin Certificates section. Once you complete the steps in the wizard, you will see a window which allows you to download both the certificate file and the key file. Make sure you put them in the correct files and install them on your web server.

Cloudflare Origin CA Certificate and Key

Further reading: