Wael's Digital Garden
Cloudflare Tunnel - Troubleshooting - Cannot determine default origin certificate path
Cloudflare Tunnel - Troubleshooting - Cannot determine default origin certificate path#
Problem#
I installed a Cloudflare Tunnel on my Kubernetes cluster using the Helm Chart and I used the token given by the Cloudflare Zero Trust tunnel creation. When the tunnel starts up, it crashes with the following error:
2025-06-09T05:39:13Z ERR Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]. You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable originCertPath=
error parsing tunnel ID: Error locating origin cert: client didn't specify origincert pathAnalysis#
I found online related to the above error mostly discussions about deployment on R-pi or other OSes but nothing on Kubernetes. I started to compare the tunnel configuration I was given with the one running on my cluster and although both are JSON based, the JSON keys are different
Working tunnel credentials.json
{
"AccountTag":"28c078c03010432b80f620262227980f",
"TunnelID":"3a1de3a1-607f-4c69-8a27-33571c642a75",
"TunnelSecret":"<redacted>"
}Failing tunnel credentials.json
{
"a": "28c078c03010432b80f620262227980f",
"t": "3a1de3a1-607f-4c69-8a27-33571c642a75",
"s": "<redacted>"
}Solution#
- Go to the tunnel configuration from the list of tunnels located here
- Copy the token.
- Decode the token it should be in the format
{"a":string,"t":string,"s":string} - Substitute
awithAccountTag - Substitute
twithTunnelID - Substitute
swithTunnelSecret - Write the credentials in the secret as base64-encoded as usual for a k8s secret
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-tunnel
type: Opaque
data:
credentials.json: <json encoded as base64>