When trying to add my Cloudflare Origin CA certs in the WebUI, they are always rejected with the following message:
O=CloudFlare, Inc., OU=CloudFlare Origin CA, CN=CloudFlare Origin Certificate
error 20 at 0 depth lookup: unable to get local issuer certificate
error uploaded_cert: verification failed
I have both the .pem and .key files from CloudFlare from their webui panel. I’m not sure if this is a filename issue, or if I need to combine their root cert into the .pem file to create a full chain. No combination has worked for me thus far.
The cloudflare webUI looks like this (Keys redacted for privacy):
This means that the system was unable to validate that the certificate came from a trusted issuer, which is because it didn’t. The remedy, I expect, is to add Cloudflare’s root CA cert to the OS’s trusted root store. The way you’d do that, in turn, depends on the base OS–if you’re using Rocky/Alma 9, according to Brave Search AI, this is how you’d do that:
Thanks for pointing me in the right direction! You were right, I had to copy the cert to the server via scp then add it to the trust.
The cert Cloudflare gives from the page where the private key comes from isn’t the correct cert however, I had to add their main origin CA which can be fetched from here: Cloudflare origin CA · Cloudflare SSL/TLS docs
Thanks again for your help, now have my server fully proxied with cloudflare.
