When we originally launched a new site (Partner DNS setup), the Universal SSL cert was issued for only the www subdomain. Now, we have the root domain pointing to Cloudflare, but the Universal SSL cert there does not cover it. How do I get Cloudflare to issue the cert for the root domain?
Cloudflare Universal SSL certificates always come with two entries:
Yours should have both. If you post the domain name, we can check for sure.
Wow! It most certainly only has the www subdomain. I’ve not seen that before.
I would suggest that you make sure you have a root domain in your DNS list here, such as an “A” Records for hpylaw.com
Then go to the Crytpo settings page and scroll to the bottom and click Disable Universal SSL. Then wait ten minutes, then click it again to Enable Universal SSL.
This will hopefully delete the certificate, then re-issue it correctly.
When you the root a request will be made to issue a cert for it.
What’s weird is that I am simultaneously carrying on a conversation in a support ticket about this. The person is saying that with Partial CNAME setup, the expected behavior is that the apex certificate should not get issued. However, that is not what I have experienced. I’ve launched over 30 sites with partial CNAME setup and a lot of them have apex or even wildcard Universal SSL certs.
Can you explain what that icon means? Is it something that is possible with CNAME setup?
The is “orange cloud” which is the status for proxied host though Cloudflare. In a CNAME setup you’ll also need to point your root to the same IP addresses your www resolves to on our edge (unless your current DNS host supports CNAME flattening or ANAME records for the root). If it is already on the DNS tab then toggle to and back after you change the IPs for the root in your authoritative DNS. Cert should issue in short order.
I don’t see those icons on the DNS tab. I am running a Partner account.
Oh well that’s fun. I think the same thing would apply. Once you point the Apex to Cloudflare using the partner API/update the DNS on the authoritative nameservers it should kick off the process for issuing a cert for the root.
Would this work if I temporarily pointed the apex via A record to the IP address that the www CNAME record resolves to? Once the cert gets issued, I’d just point the apex to 184.108.40.206
You definitely don’t want to point the apex to 220.127.116.11, but pointing it to what the www resolves to seems reasonable.