Argo Tunnel with Wildcard Certificate

I am attempting to setup an Argo Tunnel on a windows server. Originally when I attempted to start the tunnel I got an info error about not supporting the CA on windows so I needed to use the “Origin-ca-pool” arguement. I went ahead and exported my windows cert and added it to the origin-ca-pool argument. I then started seeing the following. "You asked for a tunnel to “hostname” but your certificate is only valid for [*]. Does Argo not support wildcard certificates? Would this work if I re-issued the cert with the full hostname as a SAN?

I believe that ‘hostname’ you specified will be the subdomain in your Cloudflare zone. And it has to be Proxied :orange:. Only Enterprise plans can proxy wildcard hostnames.

May I know what’s your full config?

So essentiall what I am trying to do is as follows.
cloudflared.exe tunnel -hostname mysubdomain
Because this is a windows server I recognize that the windows CA store is not supported so I added --origin-ca-pool C:\pathtomypem
I still receive a message that "You asked for a tunnel to “subdomain” but your certificate is only valid for [*].

As a test, I actually setup the windows webserver to accept nonssl connections and changed my command to this.
cloudflared.exe tunnel -hostname mysubdomain
As you can see, I removed the “https” so this should now not require an ssl cert at all yet I still receive the same message about my certificate being for [*] and the tunnel fails to start.

I have done this in the past without an issue so I am not sure why it is not working now.

To be fair, if I don’t specify a hostname at all it starts a “free” tunnel with the Cloudflare randomly generated subdomain without an issue. Is there something in my Cloudflare account that I need to tweak to make this work again?

I guess you forgot to specify --url?

It should be something like:
cloudflared.exe tunnel --hostname mysubdomain --url --origin-ca-pool C:\path\to\pem

So I experimented with that and the previous version of cloudflared did NOT require you to specify “-url” but the new version of the manual does ask for it. I tried it both ways with no difference.

Hey Guys, wanted to post back here in case someone else runs into this. I spoke to support and realized that I was being a bit dense. Apparently I was interpreting “hostname” to refer only to the subdomain portion of the domain name. In this case it is the fqdn. So the hostname value needed to be “”. Which is why it was not matching my wildcard certificate.

This is very silly and was obviously my mistake, that being said, if support reads these, it might be nice to have some examples in the documentation to help others avoid this.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.