Full Strict wildcard SSL no working on subdomains

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
yes

Please share your search results url:
a

When you tested your domain using the Cloudflare Diagnostic Center, what were the results?

Describe the issue you are having:
When I change to Full (Strict) the subdomains stop working.
They only work with Flexible setting.

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Generate certificate from Cloudflare
  2. Install certificate on cPanel server for domain
  3. change SSL/TLS settings to Full Strict

Was the site working with SSL prior to adding it to Cloudflare?
It only works with flexible SSL

Have you tried from another browser and/or incognito mode?
yes

Please attach a screenshot of the error:

What happens in Full rather than the Full (Strict) version?

In Full it works.
But my understanding is that is using a self-signed cert.

In Full (Strict) it exhibits a 526 error.

With Cloudflare

with Cloudflare paused

Regardless of how you configure Cloudflare (Full or Full (Strict)) the origin server will use the same certificate be it self-signed or Cloudflare’s generated origin certificate.

The screenshots do look to have the right origin certificate but this is on the root domain, your original message suggests the problem occurs with subdomains, what certificates do you see on subdomains when Cloudflare is paused?

Thanks for your help. Here is the info on a subdomain with Cloudflare paused.

The certificate being served there is just for the root domain and the www. subdomain, but it is missing the wildcard so that certificate is only available for the root and www. names themselves. Also it isn’t Cloudflare’s client certificate.

My guess is you need to install Cloudflare’s client certificate on your subdomains either in your control panel or whatever service is on the subdomain if it is a different server/service.

The root did seem to be configured properly as it worked before even in Full (Strict).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.