Cloudflare edge cert generated while it should not

I’m on cloudflare free version.

I’ve create a CNAME record for Pages in format cf.demo.example.com, with the interest to see if it would generate SSL cert.
In the DNS -> Records section I can see the CNAME with a little warning sign:
“This hostname is not covered by a certificate. Learn more.”
Just as expected.

At the SSL/TSL -> Edge Certificates I can see serts for example.com and *.example.com. Just as expected.

However at Workers & Pages -> cfdemo -> Custom domains I can see the domain
cf.demo.example.com is Active and has SSL enabled. What?

Opening cf.demo.example.com in the browser / cli shows a valid certificate:

$ openssl s_client -showcerts -connect cf.demo.example.com:443 </dev/null
Connecting to 2606:4700:3031::6815:217d
CONNECTED(00000005)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
verify return:1
depth=0 CN=cf.demo.example.com
verify return:1
---
Certificate chain
 0 s:CN=cf.demo.example.com
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  1 08:48:22 2024 GMT; NotAfter: Jul 30 08:48:21 2024 GMT

Im surprised this works…

Cloudflare Pages uses CF for SaaS, which issues an SSL Certificate for the hostname. This allows it to even work for websites outside of Cloudflare, which Cloudflare wouldn’t have a universal certificate for. Sounds like that’s the root of your confusion?

The certificate belongs to your pages.dev/the custom domain, so you wouldn’t see it under your Edge Certificates, and that’s also why it shows the warning about it not being covered (because it doesn’t see it in the same way)

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.