{"id":1604,"date":"2020-06-07T22:17:45","date_gmt":"2020-06-07T14:17:45","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&#038;p=1604"},"modified":"2026-01-05T11:29:07","modified_gmt":"2026-01-05T03:29:07","slug":"use-railgun-with-origin-ca-certificates","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/use-railgun-with-origin-ca-certificates","title":{"rendered":"Step-by-step to Use Railgun with Origin CA Certificates"},"content":{"rendered":"<h4><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/cf-assets.www.cloudflare.com\/zkvhlag99gkb\/6MzHk6TL9t4sBWgQz4kEQ6\/009bdae54937d9e446064477f494cb87\/illustrations-ssl-blog-june-2015-02-1.png\" alt=\"use Railgun with Origin CA Certificates\" width=\"645\" height=\"263\" \/><\/h4>\n<h4><strong>How to use Railgun with Origin CA Certificates?<\/strong><\/h4>\n<p>While using Railgun and configuring <a href=\"https:\/\/developers.cloudflare.com\/ssl\/origin-configuration\/origin-ca\/\" rel=\"nofollow noopener\" target=\"_blank\">Origin CA certificates<\/a>, please note that additional steps are need to avoid service impact for HTTPS requests being sent from the Listener. To the site\u2019s origin (where the origin CA certificates are install).<\/p>\n<p>This is due to the default that trust to store that is ship with the Railgun listener. Being a identical copy of the root certificates that it trusts (identical to what NSS\/Mozilla trusts).<\/p>\n<p>This means that when enabling Full SSL (Strict) in the dashboard while Railgun is enable.The Listener will no longer consider the origin presenting the Origin CA certificate as trustworthy. Resulting in a 520 error.<\/p>\n<p>* Please note that this error condition will only occur if\u00a0<code>validate.cert<\/code>\u00a0is enabled (i.e. set to 1) from the\u00a0<code>railgun.conf<\/code>\u00a0file.<\/p>\n<p>Here is an example of the error generated when\u00a0<code>validate.cert = 1<\/code>, the origin uses an Origin CA leaf, and the Origin CA roots are not in the trust store for Railgun specified by ca.bundle:<\/p>\n<pre>rg-listener: [2a074d8b36f00000-ATL] www.example.com origin request failed 123.123.123.123:443 to %!!(MISSING)s(MISSING): x509: certificate signed by unknown authority<\/pre>\n<p>Here are the following options available to avoid these errors:<\/p>\n<p>1. \u00a0 \u00a0Set\u00a0<code>validate.cert = 0<\/code>\u00a0in the\u00a0<code>railgun.conf<\/code>\u00a0file<\/p>\n<p>2. \u00a0 \u00a0Add\u00a0Cloudflare\u2019s origin CA root certificates\u00a0to the trust store specified in the\u00a0<code>ca.bundle<\/code>\u00a0parameter in the\u00a0<code>railgun.conf<\/code>. This can be done by a simply adding these root certificates at the end of the file using a text editor.<\/p>\n<p>By default, railgun.conf defines the Listener\u2019s trust store as (for <a href=\"https:\/\/www.servergigabit.com\/\">Debian\/Ubuntu<\/a>):<br \/>\n<code>ca.bundle = \/etc\/ssl\/railgun-ca-certs.crt<\/code><\/p>\n<p>*As a reminder, the listener will need to be restart after making changes to the configuration file.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to use Railgun with Origin CA Certificates? While using Railgun and configuring Origin CA certificates, please note that additional steps are need to avoid service impact for HTTPS requests being sent from the Listener. To the site\u2019s origin (where the origin CA certificates are install). This is due to the default that trust to store that is ship with&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1421,1419],"class_list":["post-1604","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-ca-certificates","kbtag-railgun"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1604"}],"version-history":[{"count":4,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1604\/revisions"}],"predecessor-version":[{"id":4800,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1604\/revisions\/4800"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1604"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1604"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}