Full (strict) fails with CF Origin CA Cert

I can’t seem to get the CA Cert working with Full (strict) on my domain giffgaffstatus.com

I used this command…

echo | openssl s_client -connect XX.XX.XX.XX:443 -servername giffgaffstatus.com -tls1_2 2> /dev/null | sed -n '/Certificate chain/,/---/p'

…to check that the server is providing the Origin CA cert, and it outputted…

Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

…which makes me think it definitely is.


Hosts generated on CF include *.giffgaffstatus.com and giffgaffstatus.com, so both should work fine.

Connecting to the server via its local IP on my network also shows the CF Origin CA cert: https://u.davwheat.dev/KBMyzA.png (can’t embed, new user)

I have no clue why it’s not working, and instead showing me the 526 error.

How did you manage to get an origin cert with two domains on it? Any time I generate one, it tacks the domain onto the end of whatever subdomain I enter.

It gives you the option when generating.

There’s a text box with your domain (and wildcard subdomain) and you can add more to it.

Turns out that was a bit useless though as I can’t add the same Origin CA to all of my domains, instead I need to generate different ones.

1 Like

If you are managing other zones in the same Cloudflare account, then you can do that.



Ooooo and it automatically adds the Origin CA to the other domains on the account! Clever :stuck_out_tongue:

Still doesn’t help with my issue, sadly.

@sdayman It does that, but only until you add the TLD (e.g. if you start writing davwheat it’ll show davwheat.giffgaffstatus.com but when you add the .dev, it’ll change to just be davwheat.dev.)

1 Like

So…I’m wondering if Cloudflare freaks out if it sees other domains on the origin cert. Have you tried generating an origin cert for just that hostname? In my case, my sites redirect (via Page Rules) ‘www’ requests to the apex domain, so my origin certs contain just the one hostname.

You’re not testing against the IP address(es) configured for your A record in Cloudflare.

For sure not testing against where Cloudflare is pointed.


Holy ■■■■ I’m an idiot.

I forgot that I switched to GitHub Pages for that site, but I also had it being hosted locally as well.

Well that would explain that, then.


Heh… welcome to our club. No t-shirts but I think you know our secret handshake… :facepalm: :woman_facepalming: :man_facepalming:



Well at least that means that I should be able to to set up strict for my other domains! :see_no_evil:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.