[wp-trac] [WordPress Trac] #52614: Cloudflare Root Certificate Missing

WordPress Trac noreply at wordpress.org
Wed Mar 17 15:50:04 UTC 2021 

#52614: Cloudflare Root Certificate Missing
-------------------------------------+------------------------------
 Reporter:  thesimarchitect          |       Owner:  (none)
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Security                 |     Version:
 Severity:  minor                    |  Resolution:
 Keywords:  reporter-feedback close  |     Focuses:
-------------------------------------+------------------------------

Comment (by thesimarchitect):

 Replying to [comment:9 desrosj]:
 > @thesimarchitect So it looks like the certificate you specified above is
 actually the [https://developers.cloudflare.com/ssl/origin-configuration
 /origin-ca origin certificate] for Cloudflare, not the root one.
 >
 > I believe that this certificate is meant for the connection TO the
 Cloudflare server, and not from the Cloudflare server to the actual
 website server.
 >
 > A few questions:
 > - If you do not add this certificate to the `ca-bundle.crt` file, does
 the site work normally for users? Is the only error encountered within
 Site Health when the loop back is attempted?
 > - Is your site in orange cloud mode (passing through Cloudflare)? Or
 grey cloud mode (traffic not passing through Cloudflare)?
 >
 > If the site works normally without updating the cert file and you are in
 orange cloud mode, it's possible (maybe) that something is configured at
 the hosting level to intercept traffic targeted to the same site before it
 is sent out and reroutes it back to the site for a faster connection. This
 would result in the certificate (intended for use only between a user and
 Cloudflare) not being valid.

 Hi! Thanks for your reply!

 1. The site works normally, the problem is the loopback error, that only
 goes away if I add that certificate.

 2. My site passes through Cloudflare and I don't own a private certificate
 because it's expensive and I don't need it. Let's encrypt doesn't renew
 certificates because of Cloudflare as well plus, if I am not mistaken, I
 am not sure WordPress accepts Let's encrypt free certificates either.

 3. I don't want to do my loopback via Cloudflare (by editing my VPS's
 hosts file) when it's much faster to use localhost with the server's local
 IP (I run everything on NGinx inside of a VPS).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52614#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list