Certs with Subdomains

I’m in the process of moving SSL certs from Lets Encrypt on my Nginx box to CF’s origin issued certs.

I’ve not had any problems with top level domains, such as example.com. However with SUBDOMAINS the certs refuse to work.

I’ve tried setting up the PEM and Key as both named subdomains (sd1.example.com), and as wildcards (*.example.com). HSTS is inactive for all the sites “max-age=0”, I’ve cleared all data on my browsers (FF and Chrome), my nginx scripts are exactly the same. Caching on the my server is disabled, and CF caching is purged. Doesn’t matter if encryption level is full or full-strict.

In one instance, I have a root level domain where the CF cert works, but the subdomain won’t work. In another instance, I do NOT have a root domain, but I only use subdomains, and the subdomains won’t work.

Error message is “invalid certificate”. If I flip back to using LE cert, site works as expected. What seems to be the problem?

Can you post the actual hostnames, respectively also the certificates? Just for the sake of good order, only the certificates, not the private key.

*.udll.com, udll.com (2 hosts) - for this the subdomain doesn’t work; the root domain DOES work.

*.rossetti-enterprises-inc.com, rossetti-enterprises-inc.com (2 hosts) - only using the subdomains here, nothing works.

Alright, the host are all properly proxied, so it is difficult to obtain the certificate. Again, can you post the certificates in question too?

Also, can you post a screenshot of the error message? Could it be that you are simply missing the root certificate for the origin certificates? -> https://community.cloudflare.com/search?q=origin%20root


-----BEGIN CERTIFICATE-----
MIIDRDCCAuqgAwIBAgIUaVJtFrBLbxRv3Ko7IrK3hCcpOfYwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yMDAzMDMxMzU4MDBaFw0zNTAyMjgxMzU4MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABOpQZ2Zuv8KKGgoefae9MRlppcL2ASSaJfbDUe/TU9T+
gIOH1eV/qdQi4nqe6B1GnnLlDoEAFsnXGyq6AK3Pk9GjggFOMIIBSjAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFGYqDZdaPFbFXR8QaYgwdpE+YeduMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTBHBgNV
HREEQDA+gh4qLnJvc3NldHRpLWVudGVycHJpc2VzLWluYy5jb22CHHJvc3NldHRp
LWVudGVycHJpc2VzLWluYy5jb20wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2Ny
bC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fZWNjX2NhLmNybDAKBggqhkjOPQQDAgNI
ADBFAiAeUnZDsMxOVbNaU09PeP3VOAEaDJ+NQ/tM9GKF45BsIgIhAP+k5Y6JTi3T
hqejY7IzlVZud6QuR8RU3JTvTH0fHVFQ
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIIDHTCCAsKgAwIBAgIUFo2Ds0UBWxCS/akNN8tfetikuI8wCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yMDAzMDIxNDQ1MDBaFw0zNTAyMjcxNDQ1MDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABFKvCZY8z4PI+voiubmWssw1iAPn8JWXRJEvjAYYOLQg
6uusw3JBPnykRq/zO5vbN+/PM+/malqrRzbp6nGliUyjggEmMIIBIjAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFP7PZsVPTy9koHIgcQCmOuK4PCcvMB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAfBgNV
HREEGDAWggoqLnVkbGwuY29tggh1ZGxsLmNvbTA8BgNVHR8ENTAzMDGgL6Athito
dHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqG
SM49BAMCA0kAMEYCIQCjvoF6lQiFgVdDgxYxBY0dM9x3R7NMVZJs072VV56gZQIh
APqicZaiDhZNx5twZkRyi/PFBRYBaTdzuRSBOoSqpZ3/
-----END CERTIFICATE-----

The certificates look just fine. That shouldnt be an issue with the certificates themselves.

My guess would be either a missing root certificate or something else, depending on the error message. Hence again


This is where the primary domain: udll.com works correctly. The subdomain does not.

Ohhhhh, you mean a browser warning?

That is perfectly normal. Origin certificates are not valid in a browser environment, but only in a proxied context. If you do not plan to use these hosts exclusively in a proxied context, you cant really use Origin certificates. Well, you can but you will get the warning.

I found that the proxy for bonus.udll.com was NOT turned on, and the root was. That fixed that one.
Still reviewing the rossetti-enterprises-inc.com

Same proxy not being turned on in r-e-i.
Thanks for your help with this.

This topic was automatically closed after 30 days. New replies are no longer allowed.