Error when adding a Cloudflare Origin certificate for the panel

My system is Debian 12, HestiaCP v1.8.11

The first fix I would suggest, I first saw it in a post from @punkyard

Add the Cloudflare Origin root certificate to /usr/local/share/ca-certificates/origin_ca_rsa_root.crt

wget https://developers.cloudflare.com/ssl/static/origin_ca_rsa_root.pem
mv origin_ca_rsa_root.pem origin_ca_rsa_root.crt
cp origin_ca_rsa_root.crt /usr/local/share/ca-certificates
update-ca-certificates

This will at least fix the error when adding a certificate, which Hestia will notify you about

However, having added the certificate, it will not show up in the dashboard. This is a Cloudflare error, in my opinion. Since, there is an error in the root certificate, it has lines like this

Issuer: C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
Subject: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

Clever openssl command, adds quotes to the ‘O =’ value since the value has a comma for some reason, lol. This breaks the script from the Hestia developers, I don’t know if they should have foreseen this, as it seems like a silly and obvious certificate error, but I would fix it if I were the Hestia team.

And here’s what I did…
in /usr/local/hestia/bin/v-list-sys-hestia-ssl
changed

subj=$(echo "$info" | grep Subject: | cut -f 2 -d =)
issuer=$(echo "$info" | grep Issuer: | sed -e "s/.*Issuer: //")

on

subj=$(echo "$info" | grep Subject: | sed 's/["]//g' | cut -f 2 -d =)
issuer=$(echo "$info" | grep Issuer: | sed -e "s/.*Issuer: //" -e 's/["]//g')

This simply removes the quotes from the Issuer and Subject object value sample.
I really ask those who read the post and understand shell to correct my solution by writing what I left out and how it would be better to do it! Since I’m not a professional at all, but an absolute amateur)))) Thank you!

But this is not all! If you fix only this, the certificate, yes, will be displayed in the panel, but there will be an error in /usr/local/hestia/nginx/logs/error.log.

[warn] 95441#0: "ssl_stapling" ignored, issuer certificate not found for certificate "/usr/local/hestia/ssl/certificate.crt"

we need to add to the certificate, the root certificate on the chain, since nginx, it is necessary. This is how it works)

cat /usr/local/share/ca-certificates/origin_ca_rsa_root.crt >> /usr/local/hestia/ssl/certificate.crt

I think that’s it)

All corrections are welcome.
Special thanks to the Hestia team, love you guys!

P.S. Fun fact, on OSX openssl does not add these quotes to the certificate if there is a comma in the Issuer and Subject values
on this version it works as described above - OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) - Debian 12
no quotes are added on this version - OpenSSL 3.3.0 9 Apr 2024 (Library: OpenSSL 3.3.0 9 Apr 2024) - OSX

By the way it also caused a huge error message every time I went to Server Settings, in the /usr/local/hestia/log/nginx-error.log file, which doesn’t even fit in the message)

[error] 1248#0: *746 FastCGI sent in stderr: "PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 258; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 258; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 259; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 259; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 260; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 260; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 261; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 261; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 262; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 262; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 263; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 263; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 264; PHP message: PHP Warning:  Trying to access array offset on value of type null in /usr/local/hestia/web/edit/server/index.php on line 264; PHP message: PHP Warning:  Trying t

This:

Should work fine

1 Like

I agree with you, for those who encounter similar things, this is ideal.
However, there are exceptions and I needed to use a Cloudflare certificate, this annoyed me and I fixed it. I hope someone else fixes my code to make it perfect!

Also, as I understand, the Let’s Encrypt certificate will not be renewed, as I understand, because the server works through the Cloudflare Proxy, and it must be disabled to obtain a certificate, right?

It is already solved but just to add another experience.

ECC won’t work but RSA type of certificates are ok with authority/intermediate provided by cloudlflare.