fix: Don't try to read certs for remotely-managed tunnels (Closes #1037)

2025-08-27 02:01:06 +08:00 · 2025-08-27 02:01:06 +08:00 · 151df44104
parent f9c2bd51ae
commit 151df44104
1 changed files with 10 additions and 4 deletions
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -459,12 +459,18 @@ func StartServer(
 		}
 	}

-	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	var isFEDEndpoint bool
-	if err != nil {
-		isFEDEndpoint = false
+	// For remotely-managed tunnels: use endpoint info from token credentials
+	if c.String(TunnelTokenFlag) != "" {
+		isFEDEndpoint = strings.ToLower(namedTunnel.Credentials.Endpoint) == credentials.FedEndpoint
 	} else {
-		isFEDEndpoint = userCreds.IsFEDEndpoint()
+		// For locally-managed tunnels: check origin certificate
+		userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
+		if err != nil {
+			isFEDEndpoint = false
+		} else {
+			isFEDEndpoint = userCreds.IsFEDEndpoint()
+		}
 	}

 	var managementHostname string