Cloudflare SaaS Custom Hostnames dont return correct certificates

What is the name of the domain?

mydomain.com

What is the error number?

HTTP 526

What is the issue you’re encountering

Custom Hostnames results in HTTP 526

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

I’ve been trying to get the custom hostnames at Cloudflare for SaaS up and running for about a week now - and I’m also trying to do this in my spare time.
The documentation is very sparse, is probably incomplete/has bugs - and despite the exact same setup, it doesn’t work: everything is “green”, but no certificates for custom hostnames are delivered even after 48 hours. I always run into HTTP 526.

I have two domains: (platform) and (user)
I have set up (fallback platform) as a proxied CName pointing to an Azure Web App as a test. As always, this works perfectly.
Then I set (fallback platform) as fallback origin - also works after some waiting.

Then I created (app user) as a custom hostname and set the CName in the (user) zone to (fallback platform) as well as the TXT entries.
This didn’t work at first because the TXT values that are displayed include the zone - so you can’t even just copy it to Cloudflare DNS.
After I noticed this, the custom hostname was validated - everything is now green, the certificate was created according to the dashboard and is valid for 6 months: nice!

No matter which variant, I do not get a valid certificate when calling (app user). Even after 48 hours.
During intensive Google research - unfortunately there are hardly any hits, is the product used? - I only found sparse tips, all of which actually say at the end that you should activate SLL Full (Strict), which is the case for me.

The documentation also shows a custom target:

• (fallback platform) is the Fallback Origin (Proxied)
• (domains platform) as CName Alias on (fallback platform) (Proxied)
• (app user) then points to (domains platform) (not proxied)

Here, too, I get an HTTP 526, both when I access (app user), but also when I access (domains platform)
In the documentation it is unfortunately unclear whether (domains platform) or (* domains platform). The text here differs from the example (Markdown error?); with the wildcard variant I get an error that I will not receive a certificate without a further upgrade (Certification Manager) - the information is missing in the documentation.

No matter which variant I take from the documentation at the end: everything is displayed as green in the custom hostnames, but all hostnames respond with HTTP 526.
Sorry for the domain format, otherwise I cannot post this issue.

A 526 means that the certificate on your server is invalid. Have you configured the user domain on your web server?

The certificate needs to either handle the user domain or the fallback origin.

Not really in this case, because Cloudflare would have to respond with the custom hostname certificate, but this does not happen. That’s the whole point of this feature.

My Origin answers absolutely correctly, see text.
Only the custom hostname part does not work.

Your origin needs a valid configuration for the custom domain, i.e. a virtual host configuration file.

In principle, I agree with you that this must be the case with a CName Chain - however, Cloudflare’s marketing speaks of “Zero Server Configuration” in some places.
I did some research and have now read several blogs again; nowhere is there any mention of a server-side config. I also assumed that this was one of the features thanks to proxying and X-Headers.

I have now switched from SLL Full Strict to SLL Full and no longer get an HTTP 526 error, but an Azure App Service 404: “Custom domain has not been configured inside Azure”.
This behavior speaks for your reply that I need a Virtual Host Config - but then the product unfortunately makes no sense for me (and my customers), I have no way to bind / configure the custom domain in Azure in this way with a few exceptions, too bad.

Thank you.

Regardless of how you have a site set up at Cloudflare (with some exceptions), it needs to be fully functioning before you add it to Cloudflare. That includes a properly configured server with a valid SSL certificate.

It sounds like that is not the case here, which is causing the 526 issue.

SaaS Custom Hostnames is a product that allows you to add someone else’s hostname to your zone. Like if you run Super Duper Example Hosting at superduperexamplehosting.com, with that domain set up here. Then you can add your customer site hostnames to your superduperexamplehostng zone, and configure them all in one place. But they still need to be set up in the usual way on your server.

Otherwise, how else would your server know which content to serve up for those hostnames?

As described, the pure setup with my server/instance works. I use Cloudflare and Azure for over 100 projects - I really like Cloudflare.
I know how it works, my only concern here is the custom hostname feature.

But they still need to be set up in the usual way on your server.

This is not documented anywhere. In theory, the Origin server does not need to know anything about the domain if it is a “real proxy” and only the X headers are set. Then it looks like a normal request to my app. Then CF Hostnames would simply be a facing wall that takes care of the cert handling for me. But what really happens under the hood is not clear. Other providers do exactly that - but that seems to be different with Cloudflare.

For me, this means that I can use a load balancer in certain scenarios (e.g. with AWS), but this doesn’t work with Azure because I have no way of configuring it here, except for a self-managed VM.

You mean that without Cloudflare, a browser can still HTTPS connect to the server for that hostname, and get a successful response for the site?

Cloudflare still needs to make a TLS connection to your server, and it’s going to use the Hostname of the client request. That seems to be the mismatch here.

You mean that without Cloudflare, a browser can still HTTPS connect to the server for that hostname, and get a successful response for the site?

Yes. The basic setup to configure CF in front of Azure Web App works fine.
Fallback Origin DNS (a record / cname) in CF to Azure: everything is active and the azure generated cert is being served.

It’s just the hostname part.

Cloudflare still needs to make a TLS connection to your server, and it’s going to use the Hostname of the client request. That seems to be the mismatch here.

Probably, at least that’s what the SSL setup seems like. Other providers apparently implement this somewhat differently.

I just cannot configure the customer hostname in shared managed services such as Azure Web Apps or have a corresponding limit of entries. But that would undermine the whole point of the Cloudflare Custom Hostname product - because without the Azure or AWS LB limit, I wouldn’t need the Cloudflare product.

So you want to change the request hostname to your fallback origin and then add something like a x-forwarded-hostname header that identifies the actually requested page?

You can do that with Snippets/Workers if you want.

Basically, my requirement is common for platforms: I have existing SaaS platforms where customers should configure custom domains themselves, without internal effort. As a potential comparison, you can see the situation with Shortlink providers, for example: you enter your custom domain, this is validated by the platform and then I can use my ShortLink subdomain, including a certificate.

On AWS, the solution for Managed Services is to set up one ALB instance for every 25 certificates; on Azure, I can use Frontdoor for this.
On AWS I can use the Certificate Manager, on Azure I have to use the built-in Cert mechanism - neither of which are great solutions. They do not scale and you are dependent on the infrastructure. Any change requires a revalidation of the custom domains, which is a worst case scenario.
The most common solution is to dispense with managed services and rely on Kubernetes and a custom cert handling, which we do not want.

Now there are several providers for the subdomain topic, including Cloudflare.
Cloudflare would be our wish for all my platforms (and all my customers), but if this only works with unmanaged services such as virtual machines due to the hostname binding (here I can configure a Catch All, as with Cloudflare Workers), then unfortunately this is not a solution.

Let’s say your domain is saas-provider.example and you have a customer that wants to add their own custom domain, customer-domain.example.

When a Cloudflare receives a request to https://customer-domain.example/image.jpg, they would normally forward the request to your fallback origin without making any changes, so your server needs to be configured to serve the customer domain.

You can get around this with a Snippet/Worker that rewrites the request to https://saas-provider.example/image.jpg and adds a header that tells you the hostname that was initially requested, so you can decide on your origin to serve different assets to different customers, based on that header.

Such a Snippet could be pretty simple and would only have to be set up once, not per customer domain.
This example here show how you can change the URL in a Snippet and also add a header:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.