Cloudflare for SaaS custom hostname SSL error

We are using Cloudflare for SaaS with the standard configuration (https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/#standard-cloudflare-for-saas-configuration) for our multi-tenant SaaS application.

We want to enable customers instances of our SaaS application to be available at CUSTOMER_NAME.example.com, hosted as a project on Vercel using a wildcard domain (https://github.com/vercel/vercel/discussions/7739#discussioncomment-4718084). Our customers can also set up a subdomain on their own apex domain with a value of SUBDOMAIN.customer.com. We have set up a Custom Hostname for each customer hosted subdomain and the certificate status is “Active”. “Always Use HTTPS” is off, and our Cloudflare SSL mode is “Full” (note: not strict).

CUSTOMER_NAME.example.com works. The application loads and there are no errors. However, when SUBDOMAIN.customer.com is set up by our customers with a CNAME value of CUSTOMER_NAME.example.com, they receive a Cloudflare error “Invalid SSL certificate” (Error code 526). We expected this to work because Cloudflare is proxying our wildcard domain *.getcaruso.com to the Vercel project where the wildcard domain is confirmed to be working.

How can we set up SUBDOMAIN.customer.com`` to proxy CUSTOMER_NAME.example.com `and work?

Do you offer any certificate for SUBDOMAIN.customer.com on your server? Full requires one, even if it is not validated in any way.

Since It’d feel wrong to not point this out:
Full encryption mode is just as vulnerable to man-in-the-middle attacks as no encryption at all. Why not use a Cloudflare Origin certificate for your customers domain and change to Full (strict)?

Can you test with curl -v https://SUBDOMAIN.customer.com --connect-to ::actual-server-ip

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.