Cloudflare for SaaS custom hostname SSL error

We are using Cloudflare for SaaS with the standard configuration ( for our multi-tenant SaaS application.

We want to enable customers instances of our SaaS application to be available at, hosted as a project on Vercel using a wildcard domain ( Our customers can also set up a subdomain on their own apex domain with a value of We have set up a Custom Hostname for each customer hosted subdomain and the certificate status is “Active”. “Always Use HTTPS” is off, and our Cloudflare SSL mode is “Full” (note: not strict). works. The application loads and there are no errors. However, when is set up by our customers with a CNAME value of, they receive a Cloudflare error “Invalid SSL certificate” (Error code 526). We expected this to work because Cloudflare is proxying our wildcard domain * to the Vercel project where the wildcard domain is confirmed to be working.

How can we set up`` to proxy `and work?

Do you offer any certificate for on your server? Full requires one, even if it is not validated in any way.

Since It’d feel wrong to not point this out:
Full encryption mode is just as vulnerable to man-in-the-middle attacks as no encryption at all. Why not use a Cloudflare Origin certificate for your customers domain and change to Full (strict)?

Can you test with curl -v --connect-to ::actual-server-ip

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.