cloudflare


Cloudflare certificate on tomcat windows server

Use Keytool to Create a New Keystore at your Windows Server

Step 1

At your server, generate the Keystore file using keytool command at your command line window with the following command:

keytool -genkey -alias tomcat -keyalg RSA -keystore your_site_name.keystore -validity 3650

In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate.
When prompted for the first and last name, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com).

Step 2

Generate a Certificate Signing Request (CSR) from your New Keystore using the keytool command:

keytool -certreq -alias tomcat -file certreq.csr -keystore your_site_name.keystore -keysize 2048

When prompted, enter the password you created earlier (when you created your new Keystore).
In your current directory, certreq.csr now contains your CSR.

Create the certificate from Cloudflare using the certificate request that you created from your Windows Server

Step 3

Open your Cloudflare account, select your domain, open the SSL/TLS tab and click on Origin Server to create the certificate

Step 4

Select the option I have my own private key and CSR where you will Copy-Paste the certificate you saved on the txt file from your Windows Server (certreq.csr), fill in the hostnames, select the expiration years, and press Create

Step 5

Copy-Paste in PKCS#7 key format the certificate in a text file and save the file

Import Cloudflare Origin CA root certificate at your Windows server

Step 6

Copy the Cloudflare Origin CA — RSA Root certificate from the Cloudflare website, save to a file and transfer it to your Windows Server.
[https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#4-required-for-some-add-cloudflare-origin-ca-root-certificates]
Filename: origin_ca_rsa_root.pem

Step 7

Import the root certificate into your Keystore file.

keytool -import -alias root -keystore your_site_name.keystore -trustcacerts -file origin_ca_rsa_root.pem

Add the public certificate from Cloudflare to your Windows Server

Step 8

Copy the file with the PKCS#7 certificate from Cloudflare at your Windows Server

Step 9

Run the following command to import the public certificate at your Keystore

keytool -import -alias tomcat -keystore your_site_name.keystore -file your_site_name.p7b

You should get a confirmation that the “Certificate reply was installed in Keystore.”

Use the newly created server origin certificate from Cloudflare for your website.

Step 10

Find your Tomcat server configuration (server.xml file), make the following changes at your Connector, and save the file.

<Connector executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\SysAidServer\ keystore your_site_name.keystore" keystorePass="XXXXXXXXXXXXXX" />

Step 11

Restart the Tomcat service


Cloudflare: Error 522 – Connection timed out 2

Recently, we’ve been noticing weird behavior on sites that are proxied behind Cloudflare servers. While visiting a site from one internet connection, we are constantly getting a 522 error. If at that moment, we switch our internet connection on that machine and visit the same page, it works as expected.

We are sure that the servers we have access to did not run out of resources, nor does the firewall block Cloudflare IPs. All firewalls are properly configured to accept connections from the official Cloudflare IPs that were retrieved from here.

We will investigate it further, hopefully we will figure it out.


Cloudflare Origin Server Certificate for IIS 10 Server on Windows Server 2016 to allow Full (strict) mode SSL/TLS encryption mode 8

Create a Certificate Request from your Windows Server

  1. Open Internet Information Services (IIS) Manager from the Windows Server 2016 through Control Panel -> Administrative Tools
  2. Select your server from the Connections and open Server Certificates
  1. From the Server Certificates Actions select Create Certificate Request
  1. Fill in the following form with your details:
Common name: [your domain]
Organization: [your organization name]
etc.
  1. Set the settings for the Cryptographic service provider of the certificate, the bigger the length of the certificate the better the security but it makes the server slower.
  1. Specify the filename of the txt file where you will save the certificate request

Create the certificate from Cloudflare using your own certificate request that you created from your Windows Server

  1. Open your Cloudflare account, select your domain, open SSL/TLS tab and click on Origin Server in order to create the certificate
  1. Select the option ‘I have my own private key and CSR’ where you will Copy-Paste the certificate you saved on the txt file from your Windows Server, fill in the hostnames, select the expiration years and press Next
  1. Copy-Paste in PEM key format the certificate in a text file and save the file

Add the public certificate from Cloudflare at your Windows Server

  1. Copy the file with the PEM certificate from Cloudflare at your Windows Server
  2. Select ‘Complete Certificate Request’ from the IIS Manager Server Certificates Actions
  1. Select the PEM certificate you copied at the server and add a friendly name (e.g. the domain it covers and the expiration date of it):
  1. The certificate will appear at the list of the Server Certificates with the Friendly name you added at the form before

Import Cloudflare Origin CA root certificate at your Windows server

  1. Copy the Cloudflare Origin CA — RSA Root certificate from Cloudflare website, save to a file and transfer it to your Windows Server
  2. Open the Certificates Microsoft Management Console (MMC) snap-in by typing mmc.exe at the command prompt (or at the run dialog that you can open by pressing the buttons Win+R)
  3. On the File menu, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins dialog box, select Certificates snap-in in the Available snap-ins list, click Add, and then select OK
  1. In the Certificates snap-in dialog-box, select Computer account, and then select Next
  1. In the Select computer dialog box, click on Finish
  1. In the Add or Remove Snap-ins dialog box, select OK
  1. In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then select Import
  1. In the Certificate Import Wizard, select Next
  1. In the File to Import page, select the file with the Cloudflare origin CA root certificate you saved before, and then select Next
  1. Select Next at the Certificate Import Wizard
  1. Select Finish at the Certificate Import Wizard
  1. The certificate will appear at the Certificates list

Use the newly created server origin certificate from Cloudflare for your website

  1. Select Bindings from the IIS Manager Web Site Actions
  1. Select the https binding and click Edit. If you do not have an https binding, press Add... to create one like in the second screen down
  1. At the SSL certificate dropdown list Select the new certificate and press OK

Force your website domain to pass through Cloudflare

  1. Open your Cloudflare account, select your domain, go to DNS option and change the Proxy status for your website from DNS only to Proxied by click it
  1. Enable Cloudflare full (strict) SSL TLS encryption mode in the SSL/TLS tab

Ubuntu SSHD listen to multiple ports

Recently, we’ve setup an Ubuntu server behind CloudFlare that needed to listen for SSH connections.
Unfortunately, CloudFlare does not allow connections to the default SSH port which is 22.
So, to achieve what it was needed we either had to change the port that the SSH service was listening to or add an additional port.
We decided to go with the option of listening to multiple ports for SSH connections, this way users that were also behind the CloudFlare CDN could still continue to use their SSH clients without being forced to define the connection port manually.

The port listening setting is available in /etc/ssh/sshd_config, using sudo we edited the file with a text editor and searched for the following lines:

# What ports, IPs and protocols we listen for
Port 22

Right after the line that contains Port 22, we added another line for the new port (to see the list of all available open ports on CloudFlare, check this post)

And the file became as follows:

# What ports, IPs and protocols we listen for
Port 22
Port 2053

Afterwards, we restarted the SSHD service to apply the changes by executing the following command by using sudo:

systemctl restart ssh;


CloudFlare does not allow port 22 (usual SSH port) on domain 3

When you try to connect via ssh on a domain for which you are using CloudFlare as a HTTP proxy, you will get the following error:

$ ssh [email protected]
 ssh_exchange_identification: Connection closed by remote host

You have a few options to resolve for this issue:

  1. Either connect directly to the IP of the machine.
  2. Or, setup a CNAME record with no HTTP proxy for the SSH (so that you do not need to remember the IP).
    This solution does not offer any additional benefits than connecting directly to the IP of the server.
    To do that, you need to visit the configure DNS page for your site: e.g. https://www.cloudflare.com/a/dns/example.com,
    then create the CNAME named ssh, use as target your domain (e.g. example.com) and disable HTTP proxy by clicking on the orange cloud and making it gray before pressing the Add Record button.

    Then, you will be able to connect via ssh [email protected].
  3. Last solution but not least is configuring your server to listen for SSH on one of the ports of CloudFlare that are open.
    When this post was written, the following ports were available/open for any site in CloudFlare:
    For requests made via HTTP:

    80
    8080
    8880
    2052
    2082
    2086
    2095

    For requests made via HTTPS:

    443
    2053
    2083
    2087
    2096
    8443

    At the time, we were using an Ubuntu GNU/Linux server, to instruct Ubuntu SSHD to listen to multiple ports we edited the file /etc/ssh/sshd_config and right after the lines:

    # What ports, IPs and protocols we listen for
    Port 22

    we added another line with the new port we wanted to use:

    # What ports, IPs and protocols we listen for
    Port 22
    Port 2053

    After restarting the service
    service ssh restart;
    we were able to connect to our page as follows:
    ssh -p 2053 [email protected];