Cloudflare Access not working on sub-sub-domains

Just set up Cloudflare Access and it’s working very nicely but only for one access policy.

On Cloudflare I have SSL/TLS mode to full, redirect to HTTPS enabled and HSTS on.

So, I have proxied A records for,, and all pointing at primary-ip.

I originally had the sub-sub domains as CNAME records pointing at with a wildcard but I’ve moved to explicitly defining the records, to remove any possible issues.

Now, I have Access policies for as well as the sub-sub domains.

At primary-ip I have Nginx Proxy Manager generating Let's Encrypt certs for the sub and sub-sub domains individually, enforcing SSL and redirecting the traffic to my internal devices.

To the crux of my issue. For some reason Cloudflare Access works perfectly on but on * I don’t even get directed to the authentication page and Chrome gives me ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

I’ve pinged the * sub-sub-domains and they are being proxied… So I’m stumped as to what is wrong…

Hi @mearman,

This looks to me to be an SSL/TLS issue rather than an issue with Access.

Hmm, but that wouldn’t explain why I’m not getting direct to the Access authentication page on the sub-sub domains would it?

Also the certificates for and the * domains are being generated exactly the same way.

Just for clarity, I’m not trying to generate a wildcard certificate. Just several sub-sub-domain certificates.

Are you using Cloudflare’s Universal SSL certificate, or a dedicated certificate? The Universal or $5 dedicated certs only cover *, not * So I would not expect

to work.

If you are redirecting to HTTPS, I believe the SSL error will occur before Access kicks in.

I’m generating specific sub-sub-domain certificates on the host. Not wildcard certificates.

Which is fine, and you do need the certs on your server, but that doesn’t affect the certificate on Cloudflare’s proxies which will only cover * unless you have a dedicated certificate.

Hmm, good point.

I’ll push everything up so it’s just sub-domains rather than sub-sub-domains and test.

Ok, problem solved I think.

Cloudflare SSL/TLS set to flexible but with Always Use HTTPS redirect turned on. Though I may switch that to a page-rule for the subdomains.

Proxied A record for
Proxied CNAME records for a, b and that point to

Cloudfare Access records set up for a, b, c and

NGINX running at with no SSL which is proxying for a, b, c and


I’m having the same issue however I’m not able to flatten to a single subdomain so I’m not sure what to do.

I have the following setup:

URL: (has a letsencrypt SSL cert)

DNS: => IP Grey Cloud
* => IP Grey
admin => IP Orange Cloud

I am then trying to configure cloudflare access on the admin URL. I have no ability to flatten this as the “admin” URL is hosted by something I don’t control. I tried setting SSL to off but that didn’t seem to work

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.