Update Cloudflare TLS Authenticated Origin Pulls Certificate by 11th January 2020

Cloudflare has detected that your configuration is using our Authenticated Origin Pulls feature. Recently, we renewed the certificate that our edge network presents to your origin due to the upcoming expiration of the current certificate on January 11, 2020 .

To ensure uninterrupted service, you need to update your origin server to authenticate with the new authenticated origin pull certificate anytime before January 11, 2020 .

You can find the updated certificate and follow the instructions for updating popular origin servers in this Cloudflare Help Center article: https://support.cloudflare.com/hc/en-us/articles/204899617/

Need help? Please contact us at https://support.cloudflare.com/

Thanks again for choosing Cloudflare!
The Cloudflare Team

If you are using Cloudfalre authenticated origin pulls via client_cert_url, make sure you update the certificate by 11th January 2020.

  1. In group_var/<env>/wordpress_sites.yml:
-       client_cert_url: 'https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem'
+       client_cert_url: 'https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem'
  1. Re-provision remote server, e.g:
$  ansible-playbook server.yml -e env=production -vvv --tags=wordpress-setup

If you followed my 2 steps instructions above, leave a comment why you blindly follow a random security tutorial online and go to Cloudflare’s document to verify everything in this thread.

Jokes aside, you have to update Cloudflare TLS authenticated origin pulls certificates by 11th January 2020.


You can also just turn off authentication pulls and disable Cloudflares edge certificate. That’s what I do. I don’t like using their certificates.

This topic was automatically closed after 42 days. New replies are no longer allowed.