Certificate - Origin server different fqdn to DNS

Hiya,
So the origin server holds a valid CA but mapped to a different domain name that what the Cloudflare DNS uses.
When browsing (strict mode) an error is detected being the hostname is invalid.
How can I address this?

thanks

1 Like

Considering you can use Origin certificates only in a proxied context your browser will never get that certificate in the first place. If it does, you either have not proxied or still experience a propagation issue.

As for the hostname, the common name does not contain a valid hostname but the alternative names do. But again, that’s not of relevance here.

1 Like

It might not be a Cloudflare origin cert. it
Could just be a mismatch on the server, but it sounds like the site is not Proxied by Cloudflare.

I am already glad someone is using the one and only encryption mode and is actually taking certificates seriously for once.

Considering the OP mentioned Origin certificates, I assume that’s what it will be and if that is configured it’s probably a propagation issue or - second option - a very cloudy, grey cloud.

They only mentioned “origin server”, in combination with the invalid hostname message makes me think it’s not an origin cert because a browser would have bigger issues with that, and it’s not proxied.

1 Like

I misread that.

That cannot work. Just like in any validation context you need a proper certificate and if you have a certificate for a different domain, then that won’t be valid. You need to fix that certificate and make sure the certificate matches all hostnames, regardless of whether proxied or not.

1 Like

Thanks - yeah figured I would be ‘stuck’ . I’ll need to bind another cert to IIS using SNI to support this - probably easiest.
at least SophosXg will get one upvote for being able to support this scenario - lol.

thanks

1 Like

Easiest way to verify that will be to unproxy. One other way would be if you used a CNAME record, as Cloudflare would accept in that case that name for the certificate as well, but the best solution would still be to install a valid certificate.

Yep currently unproxied and working.
tx for the sanity check.

If it works unproxied, it should work proxied too. The CNAME would be a valid workaround in this context, but a valid certificate is typically preferable of course. Glad it works.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.