CNAME root domain and SSL validation

I have my site working fine, but I’m curious about something.

My site uses an Azure app service so that it is accessible with a url like I also have a custom domain set up in azure for, but no SSL for that domain.

So, I initially set up the DNS in Cloudflare with a CNAME record for the root domain to point to, and I set the SSL to “Full (strict)” and it worked. This suggests that Cloudflare was accessing the origin server with, and then successfully validating the SSL certificate. But the SSL certificate didn’t match the domain name, so my question is, was it getting the domain ( from the CNAME record and validating the SSL certificate against that domain?

I changed the CNAME record to an A record pointing to the IP address. When I made that change, I had to change the SSL validation to “Full” in order for it to work. I’m wondering if maybe the CNAME setup was better because it allowed me to use the “Full (strict)” setup. Any thoughts on that?

In case of CNAMEs the certificate can match both hostnames, the domain’s and the CNAME’s.


Thanks for the confirmation. Any thoughts on which setup should be preferred (CNAME with Full (strict) validation vs A record with Full)?

Full strict is generally preferable.


This topic was automatically closed after 30 days. New replies are no longer allowed.