Troubleshooting
I tried to register the WARP client with my Zero Trust domain but received the following error messages: Authentication Expired and Registration error. Please try again later.
When a user logs into an organization, WARP will open a web page so the user can sign in via Cloudflare Access. Access then generates a JSON Web Token (JWT) that is passed from the web page to the WARP client to authenticate the device. This JWT has a timestamp indicating the exact time it was created, as well as a timestamp indicating it will expire 50 seconds into the future.
This error message means that when the JWT is finally passed to the WARP client, it has already expired. One of two things can be happening:
-
(Most likely): Your computer system clock is not properly synced using Network Time Protocol (NTP). Visit https://time.is ↗ on the affected machine to validate your clock is properly synchronized within 20 seconds of the actual time.
-
You are waiting more than one minute to open Cloudflare WARP from the time Cloudflare Access prompts you. Open the WARP client as soon as you get the prompt.
If you believe a domain has been incorrectly blocked, you can use this form ↗ to get the URL reviewed.
Cloudflare Access requires that the credentials: same-origin parameter be added to JavaScript when using the Fetch API (to include cookies). AJAX requests fail without this parameter present. For more information, refer to our documentation about CORS settings.
Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP Filtering. To install the Cloudflare root certificate, follow this guide.
Gateway presents an HTTP Response Code: 526 error page in the following cases:
-
An untrusted certificate is presented from the origin to Gateway. Gateway will consider a certificate is untrusted if any of these conditions are true:
- The server certificate issuer is unknown or is not trusted by the service.
- The server certificate is revoked and fails a CRL check.
- There is at least one expired certificate in the certificate chain for the server certificate.
- The common name on the certificate does not match the URL you are trying to reach.
- The common name on the certificate contains invalid characters (such as underscores). Gateway uses BoringSSL ↗ to validate certificates. Chrome's validation logic ↗ allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP.
-
The connection from Gateway to the origin is insecure. Gateway does not trust origins which:
- Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the SSL Server Test tool ↗ to check which ciphers are supported by the origin.
- Do not support FIPS-compliant ciphers (if you have enabled FIPS compliance mode). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin).
- Redirect all HTTPS requests to HTTP.
If none of the above scenarios apply, contact Cloudflare support with the following information:
- Operating System (Windows 10, macOS 10.x, iOS 14.x)
- Web browser (Chrome, Firefox, Safari, Edge)
- URL of the request
- Screenshot or copy/paste of the content from the error page
For more troubleshooting information, refer to Support.
You may not see analytics on the Overview page for the following reasons:
- You are not sending DNS queries to Gateway. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to Gateway > DNS locations and then expanding the location.
- You are using other DNS resolvers. If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
- The source IPv4 address for your DNS location is incorrect. If you are using IPv4, check the source IPv4 address that you entered for the DNS location matches with the network's source IPv4 address.
- Analytics is not available yet. It takes some time to generate the analytics for Cloudflare Gateway. If you are not seeing anything even after 5 minutes, file a support ticket.
If you encounter this error, file feedback via the WARP client and we will investigate.
This can occur if your device is attempting to establish a connection to more than two remote browser instances. A browser isolation session is a connection from your local browser to a remote browser. Tabs and windows within the same browser share a single remote browser session. In practice, this generally means that you can open both Chrome and Firefox to use browser isolation concurrently, but attempting to open a third browser such as Opera will cause this alert to appear. To release a browser session, close all tabs/windows in your local browser. The remote browser session will be automatically terminated within 15 minutes.
I see SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify when testing a SAML identity provider.
This error occurs when the identity provider has not included the signing public key in the SAML response. While not required by the SAML 2.0 specification, Cloudflare Access always checks that the public key provided matches the Signing certificate uploaded to Zero Trust. For the integration to work, you will need to configure your identity provider to add the public key.
I see Error 0: Bad Request. Please create a ca for application. when attempting to connect to SSH with a short-lived certificate.
This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to these instructions.
Mobile applications warn of an invalid certificate, even though I installed a Cloudflare certificate on my system.
These mobile applications may use certificate pinning Cloudflare Gateway dynamically generates a certificate for all encrypted connections in order to inspect the content of HTTP traffic. This certificate will not match the expected certificate by applications that use certificate pinning. To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected.
If you see this warning, you may have to disable DNS over HTTPS setting in Firefox. If you need help doing that, see these instructions ↗.
Advanced security features including HTTPS traffic inspection require you to deploy a root certificate on the device. If Install CA to system certificate store is enabled, the WARP client will automatically install a new root certificate whenever you install or update WARP.
Certain web browsers (such as Chrome and Microsoft Edge) load and cache root certificates when they start. Therefore, if you install a root certificate while the browser is already running, the browser may not detect the new certificate. To resolve the error, restart the browser.
This error appears if you try to change your team domain while the Cloudflare dashboard SSO feature is enabled on your account. Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details.
This error means that the systemd-resolved service on Linux is not allowing WARP to resolve DNS requests.
To solve the issue:
- Add the following line to
/etc/systemd/resolved.conf:
ResolveUnicastSingleLabel=yes-
Make sure that no other DNS servers are configured in
/etc/systemd/resolved.conf. For example, if the file containsDNS=X.Y.Z.Q, comment out the line. -
Restart the service:
sudo systemctl restart systemd-resolved.serviceNCSI ↗ is a Windows feature for determining network quality and connectivity. When WARP is enabled, NCSI checks can sometimes fail and cause a cosmetic UI error where the user believes they have no Internet even though the device still has full connectivity. Some apps (Outlook, JumpCloud) may refuse to connect because Windows is reporting there is no Internet connectivity.
To resolve the issue, you will need to edit two Windows registry keys:
-
Configure NCSI to detect WARP's local DNS proxy.
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicatorType: DWORDValue: UseGlobalDNSData: 1 -
Configure NCSI to use active probing mode, as WARP may be obscuring the number of hops expected by the passive probe ↗.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\InternetType: DWORDValue: EnableActiveProbingData: 1
If you continue to have issues with Microsoft 365 applications, consider enabling Directly route Microsoft 365 traffic.
Cloudflare Browser Isolation leverages Network Vector Rendering (NVR) technology. This allows us to deliver a secure, performant remote computing experience without the bandwidth limitations of traditional solutions. While we expect most websites to work perfectly, some browser features and web technologies such as WebGL (Web Graphics Library) are unsupported.
WebGL is a JavaScript API for rendering high-performance interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. Support for WebGL is present in all modern browsers. However, the user's device must also have access to the underlying hardware ↗ that supports these features.
When running remote browser isolation in a virtualized environment, the user's device may not have access to the required system resources. To resolve the error, you can configure your browser to render vector graphics entirely through software, without using the hardware acceleration provided by a GPU.
To enable software rasterization:
- Go to
chrome://flags/#override-software-rendering-list. - Set Override software rendering list to Enabled.
- Select Relaunch to apply the change.
By default, the WARP client blocks outgoing SMTP traffic on port 25 to prevent users from abusing our service to send spam. Modern email service providers use port 587 or 465 to encrypt emails over a TLS/SSL connection. For more information, refer to What SMTP port should be used? ↗.
If you need to unblock port 25, contact your account team.
This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as Microsoft Internet Information Services (IIS) ↗ do not support authentication over HTTP/2. When errors occur, the website may send back a RST_STREAM frame with the error code HTTP_1_1_REQUIRED, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream RST_STREAM frames to a pseudo socket close, so this appears as a 502 Bad Gateway exception page. The browser will not indicate why it failed.
Gateway does not support this downgrade mechanism. When receiving the HTTP_1_1_REQUIRED error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin.
If you see an error with the title This site can't provide a secure connection and a subtitle of <hostname> uses an unsupported protocol, you must order an Advanced Certificate.
If you added a multi-level subdomain (more than one level of subdomain), you must order an Advanced Certificate for the hostname as Cloudflare's Universal certificate will not cover the public hostname by default.
As of February 2, 2025, my end-user device's browser is returning a Your connection is not private warning.
The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. If you did not generate a new certificate before February 2, 2025, you will encounter browser warnings like Your connection is not private.
Starting with WARP client version 2024.12.554.0 and later, the WARP client will automatically install Cloudflare certificates in an end-user device's certificate store as soon as the Cloudflare certificates appear as Available in the Cloudflare dashboard.
For WARP client versions prior to 2024.12.554.0, certificates had to be marked as In-Use in the Cloudflare dashboard before the WARP client could push the Cloudflare certificates to an end-user device's certificate store.
Before deploying a new certificate, update WARP to version 2024.12.554.0 or newer.
For WARP client versions before and after 2024.12.554.0, certificate propagation will only occur when the WARP client is responsible for automatically installing the certificate on the client device. To enable the WARP client to propogate certificates:
- In Zero Trust ↗, go to Settings > WARP Client.
- Turn on Install CA to system certificate store.
If Install CA to system certificate store is turned off, you must manually install the certificate, use an MDM solution to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. TLS decryption must be enabled to enforce Gateway HTTP policies for HTTPS traffic.
After enabling certificate propagation, you must update your certificate:
- In Zero Trust ↗, go to Settings > Resources, then select Manage next to Cloudflare certificates.
- Select Generate certificate.
- Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select Generate certificate.
- The new certificate will be marked Inactive at first. Select the three dots to the right of the certificate, then select Activate to activate the certificate.
For WARP versions on or above 2024.12.554.0, selecting Activate will download the new certificate to end-user devices.
Certificate propagation to end-user devices can take up to 24 hours, but can be expedited by resetting the encryption keys.
To reset the encryption keys:
- Open the WARP GUI on your device.
- Select the gear icon on the top right > Preferences.
- Select Connection, then select Reset Encryption Keys.
macOS Big Sur and newer releases do not allow WARP to automatically trust the certificate. You must either manually trust the certificate as the user or use a MDM to trust the certificate.
After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as In-Use. To mark the certificate as In-Use:
- In Zero Trust ↗, go to Settings > Resources, then select Manage next to Cloudflare certificates.
- Select a certificate.
- In the detailed menu under Basic Information, select Confirm and turn on certificate.
- Once turned on, the new certificate will now show as In-Use in Zero Trust. In-Use indicates that the certificate is being used for inspection.
It is recommended to have end users disconnect and reconnect WARP to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly:
- Connect to WARP.
- Visit an HTTPS site.
- Verify that no certificate error is enountered.
Additionally, you can check the certificate used within your browser by viewing the certificate (steps vary by browser, but you can generally do this check by selecting the lock icon next to the URL) and verifying the Organizational Unit (OU) does not reference ECC Certificate Authority.
The new certificate will be valid until the configured expiration date.
If the new certificate is not activating on the end-user device or you are getting a Certificate is missing warning even though the certificate is marked In-Use. Refer to the following troubleshooting options:
-
Rotate the keys used by WARP to force activate the new certificate by running:
Terminal window warp-cli tunnel rotate-keys -
Upgrade to WARP version 2024.12.554.0.
Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade.
-
Turn off TLS Decryption.
If no measure is working quickly and you are encountering browser warnings that are blocking work, turning off TLS decryption will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices.
Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic.
If you deleted the OAuth client (or the OAuth client expired) in Google, you will receive a Error 401: deleted_client authorization error.
To fix this issue, complete steps 6 through 12 in the Google guide and steps 9 through 15 in the Google Workspace guide.