CNAME confusion

Your origin server does not have a certificate for This is most likely due to your origin server only being configured for and not That is actually fine. You should pick only one of the two names to be the canonical name and configure a redirect to it from the other.

In addition to the guide shared by @anon9246926, example 2 in this cheat sheet should help you get a redirect working.