Cloudflare Origin Certificates
Cloudflare automatically provides free client-facing certificates for your domain, even if using their free service. In addition, they provide free Origin Certificates to encrypt the connection between Cloudflare and your origin Moxie.Build server. Use this article if you are going to have Cloudflare connect to inbound open ports on your Moxie.Build server.
First, Consider using Cloudflared Tunnel instead
Cloudflared Tunnel exposes applications running on your local web server on any network with an internet connection with an outbound tunnel that connects directly to Cloudflare's edge network without the need to configure inbound firewall rules. In most cases, this is the preferred method of connecting.
Requirements
- Your domain must be setup and working on Cloudflare in advance
- OpenSSL installed on your workstation
- Note that OpenSSL comes with Git for Windows, you should find OpenSSL.exe in the bin folder if Git for Windows is already installed
Create Certificate
- Login into Cloudflare admin and navigate to your domain
- Navigate to SSL/TLS and then the sub-tab of Origin Server
- Click Create Certificate
- Let Cloudflare generate a private key and a CSR
- Private key type: RSA
- List of hosthames should be good as is, but if pointing additional domains to the same Moxie.Build server, including behind the Moxie.Build Relay, list those as well
- Certificate Validity defaults to 15 years which is good since you can delete these certificates in Cloudflare to invalidate them when needed
- Click Next
- Copy the text from the CSR into a file such as C:\Temp\domain.com.csr
- Copy the text form the private key (PEM) into a file such as C:\Temp\domain.com.pem
Create PFX File
- Open a command prompt or PowerShell on your workstation in the folder OpenSSL.exe is in
- .\openssl.exe pkcs12 -export -out C:\Temp\domain.com.pfx -inkey C:\Temp\domain.com.pem -in C:\Temp\domain.com.csr
- Enter and confirm a password that will be used to protect this .pfx file
Install on Server
- Copy the pfx file to a location on the server such as C:\Temp\domain.com.pfx
- If the Moxie.Build service this is being installed for is running, stop the service
- Right click on Moxie.exe, Run as Administrator, click the Stop button
- Close that window
- Assuming it is in place (it should be) remove the Deny log on locally local security policy on the Moxie.Build service user running
- For context, see notes in the more info window found by clicking on the note under Run Service as this User in the Moxie.Build Server Setup window when you run Moxie.exe if you are not familiar with this topic. Be sure to close that window when done reading before you move to step 4 below
- If the user is a member of a group that the Moxie.Build security policies are a part of (a good idea), remove it from that group and add it to the Users group
- If the security polices are applied against the user directly, remove that user from this local security policy
- Hold Shift as you right click on Moxie.exe and choose Run as different user
- Enter the username and password of the user account you use to run this Moxie.Build service
- Click on the link to Cert Mgr beside the Certificate Name field
- In the certmgr window, navigate to Personal
- Click on the Action menu, All Task, Import
- In the Certificate Import Wizard that opened, click Next
- Select your pfx file as above. Note the File Type dropdown needs to change to Personal Information Exchange to see it. Then click Next
- Enter the password you set when you created the PFX file
- Leave the import options as they are by default. Click Next
- Leave the location as it defaults to Personal and click Next
- Click Finished, and assuming the message box pops up that says the import was successful, click ok
- Navigate to the Certificates sub-folder that now shows up under Personal in the crtmgr window
- Double click on CloudFlare Origin Certificate, click on Details tab, click on Edit Properties
- Enter the domain name in the Friendly name field and click OK
- Click OK to close the Certificate window
- Close the certmgr window
- Back in the Moxie.Build Server Setup window, enter the domain name as you entered it in the Friendly name above in the Certificate Name field and close the window
- Reverse the security policy / group membership from step 3 above
- Start the service
- Save or delete all copies the .pfx, .pem, and .cer files according to your company's policy
Final Changes on Cloudflare
- Navigate to SSL/TLS and then the first sub-tab of Overview
- Set the mode to Full
- Navigate to SSL/TLS and then the sub-tab of Origin Server
- Turn On Authenticated Origin Pulls