CNAME proxying connection error

I am trying to get a CNAME record proxied via Cloudflare

I have a webserver answering to (which I’ll call HOSTNAME_A) and set up a CNAME record to map it to (HOSTNAME_B)

When enabling proxying for said record I expect requests intiated by Cloudflare to the origin server would use HOSTNAME_A, however if I try to connect via http I get a 404 error, via https it’s 525.

When trying to find answers about the 525 error I found SSL Error 525 with Proxied CloudFront origin which suggests the origin server should provide a valid certificate for HOSTNAME_B, since Cloudflare uses that to perform requests.
The community tips for error 525 seem to point to the same conclusion.

This goes against what is suggested by the documentation in this article Configuring an Amazon Web Services static site to use Cloudflare – Cloudflare Help Center where I would expect requests from Cloudflare to S3 are performed with the S3 address rather than the alias.

Am I correct in my assumption Cloudflare is using HOSTNAME_B to connect to my server? Is there a way to configure it to use the HOSTNAME_A?

Thank you

525 would not indicate an incorrect certificate but a general SSL issue. You probably don’t have any certificate there.

Generally you always need a valid certificate on your server, in case of a CNAME record Cloudflare would also accept a certificate issued to the name configured for that record.

I’d advise to keep the record unproxied for the time being until your SSL setup works fine and once that works you can proxy it.

1 Like

Ah, thank you for the clarification: it appears that our server is not responding properly

curl -v https://<HOSTNAME_B> --connect-to ::<server_ip>
* OpenSSL SSL_connect: Connection reset by peer in connection to <HOSTNAME_B>:443

Which I assumed was proper beaviour, but instead it should return something like

* SSL: no alternative certificate subject name matches target host name

Yes, in an unproxied connection you can expect a mismatch in the hostname, but that’s covered by aforementioned CNAME exception on Cloudflare.

Two important things:

  1. The certificate needs to have either the name of the CNAME or the actual hostname.
  2. Your encryption mode needs to be “Full strict”.

If these two things are given, you’ll have a secure setup.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.