Cloudflare configuration Authenticated Origin Pulls

** Had an Error 525 SSL handshake failed Cloudflare is unable to establish an SSL connection to the origin server. I changed the Cloudflare dashboard “SSL/TLS”, from “Full” to “Flexible” and the site is now working. Now Cloudflare is asking that I change back to “Full” and add some code to server.

I am completely at a loss how to manage this, I added the information from Cloudflare below; any ideas would be really welcome. Thank you

An e-mail today from Cloudflare stated:
Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .
To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .
For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /path/to/origin-pull-ca.pem

Then add these lines to the SSL configuration for your origin web server:
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem

Blue Griffin and Chrome

We all got that mail :slight_smile:

You do not have access to the NGINX or Apache configuration and that part of the certificate is the responsibility of ifastnet.

Just leave it on flexible (Encrypts traffic between the browser and Cloudflare)

Authenticated Origin Pulls - can be disabled if you are on flex


Thank you so much, I had no idea how to deal with this so the advice is most welcome.

How can I disable Authenticated Origin Pulls, I couldn’t find that on Cloudflare Dashboard, I am not sure how leaving or disabling Authenticated Origin Pulls will affect matters.

1 Like

You have to go to the Cloudflare dashboard, click on your domain, then on “SSL/TLS”, on “Origin Server”, scroll down a bit and disable it. Like so, you disabled Authenticated Origin Pulls.


Authenticated Origin Pulls is an additional security feature of Cloudflare which can be used on supported platform.

Normally, SSL helps to ensure that the client can verify the identity of the server (e.g. a browser to a website). It doesn’t allow the server to verify the identity of the client. With the Authenticated Origin Pulls, a hosting server can verify that the client connection was actually secured by Cloudflare.

However, our hosting does not use or support this feature. Unless you’re hosting something somewhere else where they do use Authenticated Origin Pulls, this announcement is not relevant to you.

In other words, you probably don’t need to do anything. You can leave your SSL settings exactly as they were.


Thank you Ergastolator, I had already looked on the “SSL/TLS” and couldn’t find that ability to disable before posting. After your message I checked again in case I had missed it and there is nothing on the “SSL/TLS” tab page to disable Authenticated Origin Pulls.
Admin has also sent a message saying **"… you probably don’t need to do anything." so I guess I can ignore the Cloudflare e-mail.
I am grateful for the feedback, as I had no idea what this issue was all about.

1 Like

Much appreciated support Admin. I had zero idea how to handle this issue, so now understand I can just ignore Cloudflare’s e-mail. Thank you for the advice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.