LiteSpeed (Plesk) - Cloudflare Origin Pull
When using Cloudflare as a reverse proxy, it is important that the SSL listener in Plesk is configured accordingly so that only clients (Cloudflare) with the valid Cloudflare SSL certificate can establish a connection.
Requirements
- LiteSpeed web server
Download Cloudflare Origin-Pull Certificate
The certificate currently has a validity of 10 years and expires exactly on 01.11.2029 17:00 UTC. The latest certificate can be downloaded here. Our recommendation is to make a note of this date and to run the following installation command again at regular intervals two weeks before expiry until a new expiration date appears, as your visitors will otherwise receive a certificate error message after 01.11.2029 17:00 UTC.
Installation
Log in to your server via SSH with the system user of the subscription to be protected and execute the following command:
wget -qO /var/www/vhosts/your.domain.tld/cf-origin-pull.crt https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pemVerify validity
openssl x509 -in /var/www/vhosts/your.domain.tld/cf-origin-pull.crt -noout -text | grep "Not After"The date output should be in the future, depending on the check period. If this is the case, you already have the correct certificate. Please note the above warning if the expiration date has already been reached or will be reached shortly.
Configure SSL Listener
Navigate to the Hosting and DNS setting of the subscription and open the Apache and nginx settings.
Then add the following lines to the additional instructions for HTTPS so that the Cloudflare Origin-Pull SSL certificate is set up correctly for client-based authentication and finally save the configuration by clicking on the OK button highlighted in blue.
Additional instructions for HTTPS:
Adjust your.domain.tld so that it corresponds to the domain name in Plesk under which you adjust the additional instructions for HTTPS.
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "/var/www/vhosts/your.domain.tld/cf-origin-pull.crt"Verification
Cloudflare reverse proxy active
If you have already activated the Cloudflare reverse proxy service, you must bypass the DNS, for example by adjusting your local DNS settings.
Cloudflare reverse proxy not active
If the Cloudflare Reverse Proxy is not yet active, no adjustment is required.
Expected error message
After accessing your domain via a browser, the following message should be displayed.
The appearance of the error message may vary depending on the browser. The message should indicate that your client (browser) has not transmitted a valid certificate. If this error message does not appear, check the steps you took previously and try again if necessary.
Frequent error messages
SSLCACertificateFile does not exist
The error occurs if the certificate file does not exist under the specified path or the file is empty.
We always recommend specifying an absolute path, which always begins with a /. In the example image, a relative path was used, which is why the web server assumes the file is in the /etc/apache2 directory. Follow the instructions again to avoid this error.