Can we add CDN SSL Certificate to Cloudflare?

Hello,

Is it possible to add Cloudflare CDN SSL certificate (*.cdn.Cloudflare.net.) to Cloudflare?

We bought a domain a long time ago, let it be example .com. We configured DNS registrar to use our on-premise DNS servers to resolve www.example .com into IP address.

Then we bought Cloudflare paid subscription to make our site more secure. On Cloudflare side we enabled Cloudflare CDN and added C-NAME record to our on-premises DNS servers, so the DNS resolution process for our site looks like:

www.example .com. (C-NAME record) → www.example.com.cdn.Cloudflare .net. (A-record) → Cloudflare IP address.

The user has to resolve www.example .com domain into C-NAME record via our on-premises DNS servers. Then the user has to resolve C-NAME record to A-record via Cloudflare DNS servers.

Recently we have added an external service that sends requests to our site (www.example .com). Unfortunately, the C-NAME record DNS resolution via our on-premises DNS servers might take too long that cause an error on the service side.

Also, we cannot switch from our on-premises DNS servers to Cloudflare due to organization policies.

Is it possible to add an SSL certificate for www.example.com.cdn.Cloudflare. net to Cloudflare to speed up the DNS resolution and make it possible to send requests to www.example.com.cdn.Cloudflare .net instead of www.example .com?

The short answer is no, you cannot get certificates created relating to cdn.cloudflare.net at all, this is just intended to be used for DNS CNAME situations and not for direct requests to URIs under this domain.

To be completely blunt, I’d address whatever is wrong with your DNS server that it cannot respond in a timely fashion as unreliable DNS will cause you all sorts of more serious problems.

Keep in mind that you aren’t going to be able to take DNS out of the equation at all here as you still need a DNS lookup to the www.example.com.cdn.cloudflare.net record. If your main zone (example.com in your example) is hosted internally then the CNAME doesn’t add any latency anyway (a recursive query would know it needs to call out to cloudflare.net and would complete that query before answering your internal query, so there isn’t even an internal round-trip packet). If you don’t host your zone internally you could use something like a BIND response policy zone to “override” the CNAME with the same CNAME (answering it locally rather than calling out to the authoritative DNS) or similar for your DNS resolver of choice as most should have some sort of RPZ-type functionality at this point.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.