From 3e6d8ed2163c80dce382a2a67138f12e3174ec42 Mon Sep 17 00:00:00 2001
From: chungthuang <chungting@cloudflare.com>
Date: Tue, 4 Nov 2025 13:46:47 -0600
Subject: [PATCH] TUN-9998: Don't need to read origin cert to determine if the
 endpoint is fedramp

---
 cmd/cloudflared/tunnel/cmd.go               | 18 ++++++------------
 cmd/cloudflared/tunnel/credential_finder.go | 14 ++++++++------
 2 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
index 925333a4..4bd08dc2 100644
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -427,15 +427,16 @@ func StartServer(
 		return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
 	}
 
+	if namedTunnel == nil {
+		return fmt.Errorf("namedTunnel is nil outside of DNS proxy stand-alone mode")
+	}
+
 	logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
 
 	observer := connection.NewObserver(log, logTransport)
 
 	// Send Quick Tunnel URL to UI if applicable
-	var quickTunnelURL string
-	if namedTunnel != nil {
-		quickTunnelURL = namedTunnel.QuickTunnelUrl
-	}
+	quickTunnelURL := namedTunnel.QuickTunnelUrl
 	if quickTunnelURL != "" {
 		observer.SendURL(quickTunnelURL)
 	}
@@ -459,14 +460,7 @@ func StartServer(
 		}
 	}
 
-	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
-	var isFEDEndpoint bool
-	if err != nil {
-		isFEDEndpoint = false
-	} else {
-		isFEDEndpoint = userCreds.IsFEDEndpoint()
-	}
-
+	isFEDEndpoint := namedTunnel.Credentials.Endpoint == credentials.FedEndpoint
 	var managementHostname string
 	if isFEDEndpoint {
 		managementHostname = credentials.FedRampHostname
diff --git a/cmd/cloudflared/tunnel/credential_finder.go b/cmd/cloudflared/tunnel/credential_finder.go
index c50ff457..1d7129a8 100644
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@@ -63,12 +63,14 @@ func (s searchByID) Path() (string, error) {
 		Str("originCertPath", originCertPath).
 		Logger()
 
-	// Fallback to look for tunnel credentials in the origin cert directory
-	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
-		originCertDir := filepath.Dir(originCertPath)
-		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
-			if s.fs.validFilePath(filePath) {
-				return filePath, nil
+	if originCertPath != "" {
+		// Look for tunnel credentials in the origin cert directory if the flag is provided
+		if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
+			originCertDir := filepath.Dir(originCertPath)
+			if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
+				if s.fs.validFilePath(filePath) {
+					return filePath, nil
+				}
 			}
 		}
 	}