Can we provide Cloudflared a truststore for certificates ?

Hello everyone, During initial connection to Cloudflare, I have the following error that I suspect to be a CA missing to the client to ensure its connectivity. How can I feed it with a CAFolder to trust ? eg:
/usr/local/share/ca-certificates on Linux
/usr/local/share/ca-certificates on Linux
Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.
Unable to establish TLS connection with server (Certificate verify failed: unable to get local issuer certificate). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.
Many thanks ๐Ÿ™‚
4 Replies
Chaika
Chaikaโ€ข10mo ago
You can provide it a CA Pool for Origin Connections: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#capool But it sounds like you're saying you have a MITM in the middle of it/the local system is weird? They don't seem to have anything in specific that overrides it: https://github.com/cloudflare/cloudflared/blob/bb29a0e19437c3baa6a6e64f44b5de769206ed18/cmd/cloudflared/tunnel/configuration.go#L189, should just be whatever Go does/how it gets certs
GitHub
cloudflared/cmd/cloudflared/tunnel/configuration.go at bb29a0e19437...
Cloudflare Tunnel client (formerly Argo Tunnel). Contribute to cloudflare/cloudflared development by creating an account on GitHub.
Cloudflare Docs
Origin configuration ยท Cloudflare Zero Trust docs
Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for โ€ฆ
Killtran
KilltranOPโ€ข9mo ago
Hi @Chaika and thanks for replying :). I hope you're doing fine. The issue is not with the origin servers, the Cloudflared is actually not even connected yet and the tunnel is not yet established. Yes I setup a MITM in the middle because I need to replicate a corporate environment for testing where we need to get out the internal network via proxy - MITM is doing the job very good (I have also tried with Apache HTTPd) I suspect the issue to be with my MITM Proxy isn't trusting the Cloudflare Servers for some reason, setting it in an "insecure" mode where it wouldn't verify the certs gets the connection establish pretty well. I am still investigating to figure out a proper way to deal with this and may be post something accordingly
Erisa
Erisaโ€ข9mo ago
This definitely sounds like an issue with your client and not something specific to Cloudflare setup. The CAs that Cloudflare uses are listed here: https://developers.cloudflare.com/ssl/reference/certificate-authorities/
Killtran
KilltranOPโ€ข9mo ago
Many thanks @Erisa | Support Engineer , I'll get those and give it a try to see how that goes. Do you know by any chance if the native support of proxies is planned someday ?
Want results from more Discord servers?
Add your server