Bug: Origin certificate fqdns with trailing space

We just spent a good few hours troubleshooting this and 526 error code on full end to end strict mode, it seems the cloudflare UI allows you to create a origin certificate with hostnames with a trailing space (ouch - these obviously dont match then when in strict mode).

so my domain is acme.com,
I can create www.acme.com, acme.com , suxb.acme.com, sub1.acme.com, sub2.acme.com

^ spotted the issue? look harder. it took us hours to find.

possible security implications with this maybe too.

Yes, not only trailing it seems, also leading.

While I wouldn’t immediately establish “security implications” and would not completely ignore the user’s responsibility either, I do agree that it would be nice if the UI could do some basic input sanitisation and trim the entered strings.

That being said that really is a case for a support ticket. The community can’t do anything here than just confirm. I went ahead and opened a ticket and Cloudflare will need to fix this either in that thing called JavaScript :slight_smile: or in their server-side validation. I am pretty sure Cloudflare API v4 Documentation has the same issue. Will keep you updated.

On the plus side, :+1:t2: for using proper security and not keeping your site insecure as half of Cloudflare’s sites :wink:


The issue is now with engineering. I’d assume they will roll out a fix in the coming weeks, but that depends on their mood :wink:

That’s good to hear.

There’s a lot of UX/UI issues (plenty on the breakout of Access/Teams) on Cloudflare that I’d like to point out but I just don’t have the energy to deal with the support process - it’s obviously much different for MVPs, its long tennis game before they even consider an escalation. I actually did contact support on the above but I was immediately autocanned into you dumb bugger it’s a 526 because - list of reasons which are your fault entirely…

Compare this with say how Jetbrains (large company too with thousands of requests a day) manage bug reporting is night and day different…

Oh just another one, one the lists in configurations (the ones can be used across all zones), when pasting an IP with a space trailing it isn’t stripped/autot-trimmed - just an invalid IP message, quite tricky to find, not as serious as the above as seems some level of validation there but could be good to get a checklist of UI/UX behavior and get some consistency across cloudflare.

Code: undefined :thumb:

Happy to keep pointing out bugs here unless it’s decided rather not - Id respect that choice, or another methods that is not the dreaded suppport process, these issues are not account specific after all.


That’s why I opened the ticket from my account but, believe me, MVP does not necessarily mean you get a useful response either :slight_smile:.

But at least in this case it should be with engineering already and whenever they fix it, they will fix it :slight_smile:.

I’d open separate threads in the #feedback section, but I wouldn’t necessarily count on all of them being addressed.

1 Like

Will do, I wasnt aware of the sectioning of this forum, I’ll read up. Thanks for getting this one over the line into engineering.

My pleasure. Whenever I get an update you’ll be the first to find out :slight_smile:.

Just to provide a quick update, nudged support today and it’s still with engineering and there’s no ETA yet and they will get back whenever there’s an update.

1 Like

Update #2, got feedback from support that there is no issue and it is just a UI glitch.

Re-tested it once more and of course the issue still is there :wink: - provided them with a sample certificate.

1 Like

Got more feedback. Went from

Engineering have gotten back to us on this and say this is not a bug - the UI just makes it seem like we accept preceding and succeeding whitespaces.


Our engineering team is aware of this issue however we are unable to give you an ETA on when a fix will be implemented.

In the meantime, we advise you to not create certificate orders with whitespaces in them.

@matt53, I am sorry I do not have a more concrete response but I’ll be closing the ticket now as there’ll be little point in following up for the time being.

Just as reference, and in case you want to pursue the topic in the future, the ticket was 2146647.

Thanks for chasing this.

My pleasure :slight_smile:.