How to use own AWS CM certificate, not CF certificate

I have an AWS EC2 server being served by an AWS ELB so we can apply our domain certificate created with AWS Certificate Manager.

in my domain root I have the CNAME for the ELB and CF marks it as:

CNAME Flattening will be applied to this record since root (i.e. apex) CNAME records are limited by the DNS specification

but works fine for HTTP connections… not so much for HTTPS ones as it’s applying the CF certificate prior to our own…

What am I trying to do?

I want to have, for https connections, the Amazon issued certificate like:

https://quantads.com/favicon.ico

What is my CF setup?

My DNS setup is:

My Crypto setup is:

What did I try?

reading the docs, I tried this:

  • set Crypto SSL to OFF, but this will simply prevent https connections to be made
  • set Crypto SSL to Flexible, but this will show the annoying warning about the domain has not a valid certificate because the certificate name
  • set the cloud icon to ORANGE, and one of the above issues would perform

result setup:

connection test page: https://quantads.com/favicon.ico

  • DNS Gray icon → SSL Full (strict) → connection uses EC2 server certificate (not ELB)
  • DNS Orange icon → SSL Full (strict) → connection gives 403 Forbidden and certificate name issue

What should I do?

Are you on a Cloudflare Business or Enterprise plan?

Pro plan