[CF1] warp cert expiring #19531
Closed
[CF1] warp cert expiring #19531
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
deadlypants1973
requested review from
kokolocomotion1,
ranbel and
a team
as code owners
Deploying cloudflare-docs with
|
| Latest commit: |
a9f55f2
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://8ab4205a.cloudflare-docs-7ou.pages.dev |
| Branch Preview URL: | https://kate-fixes-usersidecert.cloudflare-docs-7ou.pages.dev |
maxvp
reviewed
Jan 30, 2025
| @@ -13,6 +13,14 @@ Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/po | |||
|
|
|||
| Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). | |||
|
|
|||
| :::caution[Default WARP certificate expiring on February 2, 2025] | |||
There was a problem hiding this comment.
Suggested change
| :::caution[Default WARP certificate expiring on February 2, 2025] | |
| :::caution[Default WARP certificate expiring on 2025-02-02] |
maxvp
reviewed
Jan 30, 2025
| @@ -13,6 +13,14 @@ Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/po | |||
|
|
|||
| Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). | |||
|
|
|||
| :::caution[Default WARP certificate expiring on February 2, 2025] | |||
|
|
|||
| Your Cloudflare default certificate will expire on February 2, 2025. | |||
There was a problem hiding this comment.
Suggested change
| Your Cloudflare default certificate will expire on February 2, 2025. | |
| The default Cloudflare certificate will expire on 2025-02-02. |
maxvp
reviewed
Jan 30, 2025
| In both scenarios (before and after WARP client version 2024.12.554.0), certificate propagation will only occur when the WARP client is responsible for automatically installing the certificate on the client device. To enable the WARP client to propogate certificates: | ||
|
|
||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. | ||
| 2. Toggle **Install CA to system certificate store** on. |
There was a problem hiding this comment.
Suggested change
| 2. Toggle **Install CA to system certificate store** on. | |
| 2. Turn on **Install CA to system certificate store**. |
maxvp
reviewed
Jan 30, 2025
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. | ||
| 2. Toggle **Install CA to system certificate store** on. | ||
|
|
||
| If **Install CA to system certificate store** is toggled off, you are either [manually installing the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/), using a [MDM solution](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not using the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP and network policies. |
There was a problem hiding this comment.
Suggested change
| If **Install CA to system certificate store** is toggled off, you are either [manually installing the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/), using a [MDM solution](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not using the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP and network policies. | |
| If **Install CA to system certificate store** is toggled off, you must [manually install the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic. |
TLS decryption isn't required for HTTP policies for HTTP traffic (as opposed to HTTPS) or network policies.
maxvp
reviewed
Jan 30, 2025
|
|
||
| To update your certificate: | ||
|
|
||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. |
There was a problem hiding this comment.
Suggested change
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | |
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**. |
maxvp
reviewed
Jan 30, 2025
|
|
||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | ||
| 2. Select **Generate certificate**. | ||
| 3. Select the expiration date for this new certificate (5 years is the default, but this can be adjusted) and select **Generate certificate**. |
There was a problem hiding this comment.
Suggested change
| 3. Select the expiration date for this new certificate (5 years is the default, but this can be adjusted) and select **Generate certificate**. | |
| 3. Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select **Generate certificate**. |
maxvp
reviewed
Jan 30, 2025
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | ||
| 2. Select **Generate certificate**. | ||
| 3. Select the expiration date for this new certificate (5 years is the default, but this can be adjusted) and select **Generate certificate**. | ||
| 4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate > select **Activate** to activate the certificate. |
There was a problem hiding this comment.
Suggested change
| 4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate > select **Activate** to activate the certificate. | |
| 4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate, then select **Activate** to activate the certificate. |
maxvp
reviewed
Jan 30, 2025
Comment on lines
+20
to
+21
| Review how this change will impact certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate). | ||
|
|
There was a problem hiding this comment.
Suggested change
| Review how this change will impact certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate). | |
| Review how this change will impact certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). |
maxvp
reviewed
Jan 30, 2025
|
|
||
| 1. Open the WARP GUI on your device. | ||
| 2. Select the gear icon on the top right > **Preferences**. | ||
| 3. Select **Connection** > select **Reset Encryption Keys**. |
There was a problem hiding this comment.
Suggested change
| 3. Select **Connection** > select **Reset Encryption Keys**. | |
| 3. Select **Connection**, then select **Reset Encryption Keys**. |
maxvp
reviewed
Jan 30, 2025
|
|
||
| After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as **In-Use**. To mark the certificate as **In-Use**: | ||
|
|
||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. |
There was a problem hiding this comment.
Suggested change
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | |
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**. |
maxvp
reviewed
Jan 30, 2025
|
|
||
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | ||
| 2. Select a certificate. | ||
| 3. In the detailed menu, under **Basic Information** select **Confirm and turn on certificate**. |
There was a problem hiding this comment.
Suggested change
| 3. In the detailed menu, under **Basic Information** select **Confirm and turn on certificate**. | |
| 3. In the detailed menu under **Basic Information**, select **Confirm and turn on certificate**. |
maxvp
reviewed
Jan 30, 2025
| 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources** > select **Manage** next to **Cloudflare certificates**. | ||
| 2. Select a certificate. | ||
| 3. In the detailed menu, under **Basic Information** select **Confirm and turn on certificate**. | ||
| 4. Once turned on, the new certificate will now show as **IN-USE** within the dashboard. **IN-USE** indicates that the certificate is being used for TLS Decryption. |
There was a problem hiding this comment.
Suggested change
| 4. Once turned on, the new certificate will now show as **IN-USE** within the dashboard. **IN-USE** indicates that the certificate is being used for TLS Decryption. | |
| 4. Once turned on, the new certificate will now show as **In-Use** within the dashboard. **In-Use** indicates that the certificate is being used for inspection. |
maxvp
reviewed
Jan 30, 2025
| It is recommended to have end users disconnect and reconnect WARP to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly: | ||
|
|
||
| 1. Connect to WARP. | ||
| 2. Visit a site that is included within your WARP tunnel. |
There was a problem hiding this comment.
This isn't necessary -- you only have to visit any HTTPS site.
maxvp
reviewed
Jan 30, 2025
|
|
||
| The new certificate will be valid until the configured expiration date. | ||
|
|
||
| ### The new certificate not activating on the end-user device or I am getting a `Certificate is missing` warning even though the certificate is marked **IN-USE**. |
There was a problem hiding this comment.
Suggested change
| ### The new certificate not activating on the end-user device or I am getting a `Certificate is missing` warning even though the certificate is marked **IN-USE**. | |
| ### The new certificate not activating on the end-user device or I am getting a `Certificate is missing` warning even though the certificate is marked **In-Use**. |
maxvp
reviewed
Jan 30, 2025
Comment on lines
+247
to
+249
| ```cmd | ||
| $ warp-cli tunnel rotate-keys | ||
| ``` |
There was a problem hiding this comment.
Suggested change
| ```cmd | |
| $ warp-cli tunnel rotate-keys | |
| ``` | |
| ```sh | |
| warp-cli tunnel rotate-keys |
maxvp
reviewed
Jan 30, 2025
|
|
||
| 2. [Upgrade](<(/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp)>) to WARP version 2024.12.554.0. | ||
|
|
||
| Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade. |
There was a problem hiding this comment.
Suggested change
| Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade. | |
| Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade. |
maxvp
reviewed
Jan 30, 2025
|
|
||
| If no measure is working quickly and you are encountering browser warnings that are blocking work, [turning off TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption) will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices. | ||
|
|
||
| Turning off TLS Decryption should be a temporary measure. TLS Decryption should be turned if you need to enforce HTTP policies and log traffic. |
There was a problem hiding this comment.
Suggested change
| Turning off TLS Decryption should be a temporary measure. TLS Decryption should be turned if you need to enforce HTTP policies and log traffic. | |
| Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic. |
maxvp
added
the
closed-but-good
|
Covered by #19615 due to technical difficulties. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
15477
Documentation checklist