We are using Cloudflare for SaaS with the standard configuration (
https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/#standard-cloudflare-for-saas-configuration) for our multi-tenant SaaS application.
We want to enable customers instances of our SaaS application to be available at CUSTOMER_NAME.example.com, hosted as a project on Vercel using a wildcard domain (
https://github.com/vercel/vercel/discussions/7739#discussioncomment-4718084). Our customers can also set up a subdomain on their own apex domain with a value of
SUBDOMAIN.customer.com. We have set up a Custom Hostname for each customer hosted subdomain and the certificate status is “Active”. “Always Use HTTPS” is off, and our Cloudflare SSL mode is “Full” (note: not strict).
CUSTOMER_NAME.example.com works. The application loads and there are no errors. However, when
SUBDOMAIN.customer.com is set up by our customers with a CNAME value of
CUSTOMER_NAME.example.com, they receive a Cloudflare error “Invalid SSL certificate” (Error code 526). We expected this to work because Cloudflare is proxying our wildcard domain *.getcaruso.com to the Vercel project where the wildcard domain is confirmed to be working.
How can we set up
SUBDOMAIN.customer.com`` to proxy CUSTOMER_NAME.example.com `and work?