Strange issue with cloudflared tunnel create not detecting cert.pem, but tunnel login does!

[haneef95]

Hi,

I'm facing this strange issue here. Whereby, when I run tunnel login, it detects the existing cert.pem:

$ docker-compose run d tunnel login
You have an existing certificate at /home/nonroot/.cloudflared/cert.pem which login would overwrite.
If this is intentional, please move or delete that file then run this command again.

However, when I run tunnel create, it cannot find the certificate path:

$ docker-compose run d tunnel create my-tunnel
2021-11-09T13:15:52Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2021-11-09T13:15:52Z ERR You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/arguments/ for more information. originCertPath=
failed to create tunnel: couldn't create client to talk to Cloudflare Tunnel backend: Error locating origin cert: client didn't specify origincert path when running from terminal

Any suggestions for a fix?

Thanks,

[haneef95]

docker image version: cloudflare/cloudflared:2021.11.0-amd64

[BrodyStone21]

I'm experiencing the same issue. I think that what's happening is that the cert.pem file is never actually being created. I bet it's some kind of permission issue. I've tried several things and haven't been able to get it to work.

[abelinkinbio]

You should be able to quickly see if the cert.pem is generated and stored during the login command by checking the ~./.cloudflared directory.

[BrodyStone21]

It's not unfortunately.

[abelinkinbio]

Does that also mean when you run cloudflared tunnel login this command hangs?

[haneef95]

I managed to fix this actually, it currently works with this: docker-compose.yml:

version: "2.4"

services:
    cloudfd:
        image: cloudflare/cloudflared:2021.11.0-amd64
        restart: always
        command: tunnel run
        scale: 2                # Restart is requied after config updates, and takes approx 30, during when all the services are down!
                                # hence, restart seperately.
                                # Supported natively: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas
        volumes:
            - ./config:/home/nonroot/.cloudflared
              # Cloudflared doesn't seem to have any unattended data that needs persistence, just admin-side config which are fed to it.
              # Hence, the volume will stay within the git.
              #    - ./_data # nowhere to point this to (yet), the folder on the host is there as a placeholder.

The local folder ./config that is mounted all has permissions to 1000:1000

[haneef95]

I managed to fix this actually, it currently works with this: docker-compose.yml:

version: "2.4"

services:
    cloudfd:
        image: cloudflare/cloudflared:2021.11.0-amd64
        restart: always
        command: tunnel run
        scale: 2                # Restart is requied after config updates, and takes approx 30, during when all the services are down!
                                # hence, restart seperately.
                                # Supported natively: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas
        volumes:
            - ./config:/home/nonroot/.cloudflared
              # Cloudflared doesn't seem to have any unattended data that needs persistence, just admin-side config which are fed to it.
              # Hence, the volume will stay within the git.
              #    - ./_data # nowhere to point this to (yet), the folder on the host is there as a placeholder.

The local folder ./config that is mounted all has permissions to `1000:1000

[BrodyStone21]

As you are a contributor, I'm going to try to include as much information as possible.

Command: docker run --rm --name cloudflared -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared:2021.11.0-amd64 tunnel login

Output:

Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/argotunnel?callback=httpslogin.cloudflareaccess.org #more stuff here but hiding just in case

Leave cloudflared running to download the cert automatically.
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/nonroot/.cloudflared/cert.pem

If I run ls -a I can see that .cloudflared has been created. However, if I cd .cloudflared/ and then ls -a there are no files.

Command: docker run --rm --name cloudflared -v ~/.cloudflared:/etc/cloudflared cloudflare/cloudflared:2021.11.0-amd64 tunnel create ubuntu

Output:

2021-12-01T16:30:14Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2021-12-01T16:30:14Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
failed to create tunnel: couldn't create client to talk to Cloudflare Tunnel backend: Error locating origin cert: client didn't specify origincert path

Command: docker run -d \ --name cloudflared \ -v ~/.cloudflared:/etc/cloudflared \ cloudflare/cloudflared:2021.11.0-amd64 \ tunnel --no-autoupdate \ --hostname mywebsite.net \ --url http://mylocalip:443 create ubuntu

Output:

2021-12-01T16:25:42Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2021-12-01T16:25:42Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
failed to create tunnel: couldn't create client to talk to Cloudflare Tunnel backend: Error locating origin cert: client didn't specify origincert path

Command (same as above without create ubuntu): docker run -d \ --name cloudflared \ -v ~/.cloudflared:/etc/cloudflared \ cloudflare/cloudflared:2021.11.0-amd64 \ tunnel --no-autoupdate \ --hostname mywebsite.net \ --url http://mylocalip:443

2021-12-01T16:28:09Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2021-12-01T16:28:09Z INF Version 2021.11.0-dev
2021-12-01T16:28:09Z INF GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2021-12-01T16:28:09Z INF Settings: map[hostname:mywebsite.net no-autoupdate:true url:http://mylocalip:443]
2021-12-01T16:28:09Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2021-12-01T16:28:09Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
2021-12-01T16:28:09Z ERR Couldn't start tunnel error="Error getting origin cert: client didn't specify origincert path"
Error getting origin cert: client didn't specify origincert path

Things I've tried: Removing cloudflared containers, volumes, and images. Removing Docker entirely. Downgrading Docker version to October 2021 edition. Removing folders that were mounted through cloudflared. Changing permissions for folders that were mounted through cloudflared. Changing cloudflared working directory to a volume. Changing cloudflared working directory to a mount on host. Running commands with the --privileged flag. Running commands with PUID and PGID set to 1000. Using a different cloudflared image.

The worst part about all of this is I literally got it up and running yesterday.

OS: Ubuntu LTS 20.04.3 Server Docker Image: tested both cloudflare/cloudflared:2021.11.0-amd64 and cloudflare/cloudflared:2021.11.0 Docker version: docker-ce-cli=5:20.10.10~3-0~ubuntu-focal docker-ce=5:20.10.10~3-0~ubuntu-focal containerd.io=1.4.12-1 (Originally had docker-ce-cli=5:20.10.11~3-0~ubuntu-focal and docker-ce=5:20.10.11~3-0~ubuntu-focal)

[BrodyStone21]

@haneef95 is correct. I completely missed his comment, but I found this guide online, which worked perfectly. This is actually what I used yesterday when it worked.

I think this issue can be closed, but I believe the documentation needs to be updated.

Basically, the Docker documentation suggests doing -v ~/.cloudflared:/etc/cloudflared when in reality it should be -v ~/.cloudflared:/home/nonroot/.cloudflared`

The Docker docs should also cover the config.yml more.

For those of you who stumble accross this issue in the future, here is my Docker cli command for creating the container. Note that you will have to tunnel login and tunnel create tunnel_name_here before running the tunnel.

Command:

docker run -d \
  --name cloudflared \
  -v ~/.config/cloudflared:/home/nonroot/.cloudflared/ \
  cloudflare/cloudflared:2021.11.0-amd64 \
  tunnel run ubuntu

config.yml

tunnel: tunnel_id_goes_here # output to terminal when running tunnel login
credentials-file: /home/nonroot/.cloudflared/credential_file_here.json
ingress:
   - hostname: mywebsite.com # your domain goes here
     service: http://localhost:8080 # service you want to expose
   - service: http://localhost:404 # backup service that will return 404 error from Cloudflare

[adamrutt]

Thankyou for this @BrodyStone21 I was getting confused with the paths in the docs