Cloudflare Origin Certificate not working

Community Support
1

Hello,

I have been trying to import Cloudflare Origin Certificate on my Hestia Panel, but failed everytime. When saving the origin certificate (SSL Certificate and Key Value) disappears when saved.

1
1652Ɨ646 30.3 KB

I have uploaded the Cloudflare certificate authority file on server by using following cmds.

wget https://developers.cloudflare.com/ssl/static/origin_ca_rsa_root.pem
mv origin_ca_rsa_root.pem origin_ca_rsa_root.crt
cp origin_ca_rsa_root.crt /usr/local/share/ca-certificates
update-ca-certificates

Can anyone help?

2 Likes
2

2
21146Ɨ636 109 KB

This is the cert and key I am uploading, tried this on domain SSL as well, it imports fine but I am still getting LetsEncrypt E1 certificate instead of Cloudflare.

1 Like
3

there are a few informations missing about what exactly you want to achieve and what you have setup so far.

you want to use your CF cert for the domain that is also your hostname and under which hestia itself is running?
you have that domain/hostname setup as a domain under the admin account as usual?

the first screen you posted seems indeed like the one to add the cert for hestia itself. not sure why it does not save it there to be honest, but as you already tried a workaround could be to add it to the domain itself in your admin account/web domain.
however after you did this you still need to tell hestia to pick it up for itself. you can do this from the console via the v-update-host-certificate command.

after that it should copy the cert from your web-domain to the hestia nginx and run it properly.

4

hi
iā€™ve got the exact same problem
iā€™ve got a crashtest ubuntu 20.04 server (freshly installed ā€¦ and often reinstalled ā€¦!) to try hestia v164 in different ways (iā€™m no IT) in which i kept the panel domain in the admin (though you told me itā€™s better in a user account, but itā€™s just for testing here)

i have CF cerf origin copied & pasted in HESTIA configuration menu, but when I save, it disappears. but thatā€™s not all folkā€™s:

Capture dā€™eĢcran 2022-07-23 aĢ€ 21.40.48
Capture dā€™eĢcran 2022-07-23 aĢ€ 21.40.48748Ɨ666 99.3 KB

: hestiaā€™s domain end up with a letā€™s encrypt cerf and i donā€™t get any error visiting the domain with different browsers at panel.domain.org:2083 but none would display panel.domain.org ā€¦
(itā€™s said that :8083 is not accepted by cloudflare, in confirm)

in WEB section in HESTIA
SSL is not even activated on the domain panel.domain.org

Capture dā€™eĢcran 2022-07-23 aĢ€ 21.47.57
Capture dā€™eĢcran 2022-07-23 aĢ€ 21.47.571036Ɨ281 72.3 KB

Iā€™d truly be happy to understand my situation if one can help
cause itā€™s giving me a very hard time trying to understand what to do to have a simple and clean server working with hestia and cloudflare. i get gateaways, 403s, https not secured even with a cerf in hestia, younameit, wellā€¦ all sorts of messages grinding my peace of mind ^^

Iā€™ve read people have nice servers running with hestia, nextcoud ā€¦ so far ā€¦ iā€™m not there ā€¦ yet - but i canā€™t understand why, cause iā€™m following the exact simple steps of different tutorials, documentation files, ā€¦

now, i want to ask you @falzo, what you mean by:

however after you did this you still need to tell hestia to pick it up for itself. you can do this from the console via the v-update-host-certificate command.

pick it up? copy paste is not enough?
v-update-host-certificate command would do what?

nothing in hestiaā€™s doc, see ā€¦

where are the cerfs in the server by the way?

thanks at all responders :v:

5

AFAIK itā€™s normal for the value in the <textarea> to disappear on save - it does for me and still works.

This video guide works reliably for me (I followed it today) and includes origin certificate setup:

2 Likes
6

thanks @alec I used it too :+1:
i realize now that even this cloudflare it can take up to 10 min or more for the dns and certificate to work together

7

is your problem solved?

what I meant or do is adding the domain you want to use as panel domain to the admin account (is itā€™s the hostname, itā€™s usually already there).
and then add your certificate to that domain (could be one acquired externally or just using letsencrypt there).
once you have that done, you can run v-update-host-certificate admin <yourpaneldomain> on cli to make hestia use this certificate for itā€™s own instance.

in the end, that should result in avoiding proxy/gateway errorsā€¦ but of course there are other ways to help with that, like adding the cert directly, like it seems, this now hopefully worked for you too :wink:

8

iā€™m waiting to see how long itā€™s going to last ^^ yes, the panel website is ok now ! iā€™ve changed the port 8083 to make it compatible with CLOUDFLARE
so i guess my question in answered
thank you all for your assistance

@falzo, though, iā€™ve created a simple user to manage the hestiapanel.domain.com - as understood earlier, that it was better for security reasons
i havenā€™t needed the v-update-host-certificate admin command to make it work though ā€¦

9

would it be possible to make the IP address secured by a ssl?

10

No not really.

11

itā€™s not technically possible?

12

returned: sudo: v-update-host-certificate: command not found

have i used it the wrong way?

13

Try $HESTIA/bin/v-update-host-certificate ā€¦

1 Like
14

thanks

$ sudo /usr/local/hestia/bin/v-update-host-certificate user hpanel.domain.net

1 Like
15

Just a tip: after pasting certificate and key, press enter key.

16

This can be resolved by changing your SSL/TLS encryption mode to Full (strict) from cloudflare site.

Screenshot from 2022-11-20 11-27-33
Screenshot from 2022-11-20 11-27-332254Ɨ1244 184 KB

1 Like