Bug: Origin certificate fqdns with trailing space

We just spent a good few hours troubleshooting this and 526 error code on full end to end strict mode, it seems the cloudflare UI allows you to create a origin certificate with hostnames with a trailing space (ouch - these obviously dont match then when in strict mode).

so my domain is acme.com,
I can create www.acme.com, acme.com , suxb.acme.com, sub1.acme.com, sub2.acme.com

^ spotted the issue? look harder. it took us hours to find.

possible security implications with this maybe too.

Yes, not only trailing it seems, also leading.

While I wouldn’t immediately establish “security implications” and would not completely ignore the user’s responsibility either, I do agree that it would be nice if the UI could do some basic input sanitisation and trim the entered strings.

That being said that really is a case for a support ticket. The community can’t do anything here than just confirm. I went ahead and opened a ticket and Cloudflare will need to fix this either in that thing called JavaScript :slight_smile: or in their server-side validation. I am pretty sure Cloudflare API v4 Documentation has the same issue. Will keep you updated.

On the plus side, :+1:t2: for using proper security and not keeping your site insecure as half of Cloudflare’s sites :wink:


The issue is now with engineering. I’d assume they will roll out a fix in the coming weeks, but that depends on their mood :wink:

That’s good to hear.

There’s a lot of UX/UI issues (plenty on the breakout of Access/Teams) on Cloudflare that I’d like to point out but I just don’t have the energy to deal with the support process - it’s obviously much different for MVPs, its long tennis game before they even consider an escalation. I actually did contact support on the above but I was immediately autocanned into you dumb bugger it’s a 526 because - list of reasons which are your fault entirely…

Compare this with say how Jetbrains (large company too with thousands of requests a day) manage bug reporting is night and day different…

Oh just another one, one the lists in configurations (the ones can be used across all zones), when pasting an IP with a space trailing it isn’t stripped/autot-trimmed - just an invalid IP message, quite tricky to find, not as serious as the above as seems some level of validation there but could be good to get a checklist of UI/UX behavior and get some consistency across cloudflare.

Code: undefined :thumb:

Happy to keep pointing out bugs here unless it’s decided rather not - Id respect that choice, or another methods that is not the dreaded suppport process, these issues are not account specific after all.


That’s why I opened the ticket from my account but, believe me, MVP does not necessarily mean you get a useful response either :slight_smile:.

But at least in this case it should be with engineering already and whenever they fix it, they will fix it :slight_smile:.

I’d open separate threads in the #feedback section, but I wouldn’t necessarily count on all of them being addressed.

Will do, I wasnt aware of the sectioning of this forum, I’ll read up. Thanks for getting this one over the line into engineering.

My pleasure. Whenever I get an update you’ll be the first to find out :slight_smile:.

Just to provide a quick update, nudged support today and it’s still with engineering and there’s no ETA yet and they will get back whenever there’s an update.

1 Like