CNAME tls issue from cloudflare to cloudflare domain


I have 2 different domains in Cloudflare. uses Full (strict) end-to-end encryption with a Cloudflare Certificate on my origin server. :orange: enabled . This works fine and shows the correct certificate.

Now I want to create a CNAME record ( :grey: disabled ) on my secondary domain: :grey: and target :orange:

What I’ve done is create a letsencrypt certicate for * on my origin server. I’ve tested as a normal A record and my letsencrypt certificate/setup WORKS.

Now, when I do the CNAME from :grey: to :orange:, my browser gives me the following error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I’m not sure how to fix this, but I suspect it’s not possible when I use Full (Strict) on
Do you guys have any ideas?

If you point a Cloudflare proxied (aka :orange:) record to another proxied one it won’t work unless you have SSL for SaaS, which is a paid product in the Enterprise plan.

I’m not completely sure if there are workarounds which reduce security that can make it work. The solution is to keep one of them (best the target, to solve SSL issues) as non-proxied (aka :grey:). Unfortunately it’s been one of the big issues that doesn’t have an easy solution.

Hi @matteo ,

Great suggestion, however:
Right now, my target is :orange: and my source is :grey: but it still doesn’t work.
So I suspect there’s something else wrong. Any ideas?

It still sounds like you’re attempting a CNAME setup (pointing a CNAME in one domain to a different domain in Cloudflare). This is only available in Business and Enterprise plans.

Thank you. Yes, I thought this would be available from Cloudflare to Cloudflare domain, but the error still seems weird. I hope it will be fixed when I upgrade then.

If anyone still thinks this specific error will be present after upgrading to Business, please let me know.


Let’s make an example.

user -> -> -> origin server

If is :orange: and is :grey:, with a valid certificate for and is responding to that domain it will work normally. Any other configuration won’t work. Both :orange: requires an higher plan. I do have my doubts that it’s enough to have a Business plan, I feel like it requires Enterprise and the SSL for SaaS product. Maybe someone will know once the Cloudflare Support Engineering come back.

You could open a support ticket and ask…

To contact Cloudflare Customer Support, login & go to and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

Hi again @matteo,
In my case it’s: User -> :grey: CNAME-> :orange: -> origin server

I will raise a case at cloudflare support too, thanks. Let me know if u get any further ideas.

That won’t work, as Cloudflare won’t have a certificate for while serving, you require SSL for SaaS then.


Hi @matteo ,
I’ve spoken to some of my contacts at Cloudflare and they suggested a potential solution which may work given that upgrading to Enterprise and enabling SSL for SaaS isn’t an option.

I haven’t tested this solution personally yet, but figured I would share it in case anyone else could use it:

  1. Upgrade to a Business plan
  2. Order an external SSL certificate with multi-domain support (commonly supports up to 100/250 different domains or subdomains.)
  3. Add your customers and corresponding internal subdomains to the certificate
  4. Upload the custom certificate to CloudFlare

This should cover the above-mentioned setup even when the target domain is :orange:

As always, feel free to share your thoughts on the matter.

1 Like

Personally, I have a DNS record that’s :ngrey: DNS-only which is used by other domains (including my own) with :norange: proxied mode. That way it totally works and has all user-facing domains proxied.


Yeah good input. I’ve considered this solution as well, but in some cases I want the target domain to be proxied to benefit from all the other Cloudflare features.

Anyway, thank you for all your feedback guys.

Just a quick explanation:

If you want (:ngrey:) to resolve to (:norange:), create a third record with the same configuration as, name it whatever you want (e.g. :ngrey:) and point & both to :ngrey:.

That way you can enable proxying on both domains and use all features.

This topic was automatically closed after 30 days. New replies are no longer allowed.