Impossible to create origin SSL certificate for wildcard to setup my DNS properly

What is the name of the domain?

What is the error message?

Failed to validate requested hostname : This zone is either not part of your account, or you do not have access to it. Please contact support if using a multi-user organization.

What is the issue you’re encountering

Impossible to create origin SSL certificate for wildcard to setup my DNS properly

What steps have you taken to resolve the issue?

1. Readed everything i can on the potential problem and help.
2. Tried to create a certificate following this procedure: Cloudflare origin CA · Cloudflare SSL/TLS docs
3. Wrote to support
4. Tried to find any other relevant informations to make sure all my DNS records are configured properly before to change my DNS to cloudflare because i dont want to mess up with hundreds of subdomains managed by a wildcard.

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

1. Created Cloudflare account
2. Switched to Pro plan
3. Added my domain name
4. Imported DNS records
5. Tried to make sure everything is fine since i see an error message “This hostname is not covered by a certificate” along most of the A records and CNAME in my DNS records
6. Tried to create a certificate following this procedure: Cloudflare origin CA · Cloudflare SSL/TLS docs
7. Wrote to support
8. Tried to find any other relevant informations to make sure all my DNS records are configured properly before to change my DNS to cloudflare because i dont want to mess up with hundreds of subdomains managed by a wildcard.

Both Edge and Origin certificates can only be generated after your domain is active on Cloudflare.

Also, keep in mind that the Universal SSL only covers first level subdomains like www.example.com, not www.blog.example.com or other second level subdomains.

Hi,

Actually, i have subdomains managed from CNAME in my dns because they use different ips and i have a wildcard managed from A record.

When i talk about subdomains and wildcard, they are all used for subdomains like test.exemple.com , test1.exemple.com … and so on.

I have nothing like *.test.exemple.com.

So, is a wildcard like *.exemple.com is good?

I have hundreds of subdomains with thousands of users that i can not put in downtime until my domain is considered active by cloudflare and that i can setup certificate only after its active.

What are the solutions for my case?

There is no reason you should experience any downtime.

Make sure that you disable DNSSEC before you change the nameservers, and change all your DNS records on Cloudflare to DNS-Only until a certificate is provisioned.

This way, people will connect to your server directly until a certificate is provisioned. You can then change the records to proxied.

Also, make sure you are using the Full (Strict) encryption setting on Cloudflare.

Thanks for your help Laudian!

Can you confirm that a wildcard will work the way i explaned with proxy on cloudflare once the certificate will be obtained?

Also, i would add a question here.

Is DNSSEC activated by default here on Cloudflare or i need to configure it somehow also?

Yes, after you change your DNS records to Proxied, a wildcard Origin certificate would work. Do you currently have a certificate for your domain? How did you obtain it? If you already have a wildcard certificate, you can just keep using the old one.

After you have changed your nameservers to Cloudflare, you can update the DS record at your registrar with the value provided by Cloudflare.

Yes, i have certificates for my domain.

Subdomains managed with CNAME has Let’s encrypt configured on each of their servers and for the wildcard, its the same certificate purchased thru cheapssl that i renew every 1 or 2 year and that is installed on the servers.

Can i keep it this way?

If yes, i guess its probably better to disable proxying for all subdomains at first and make test with 1 subdomain to make sure all is good.

For DS, i will read about where to get it from cloudflare to setup it on my registrar.

Yes, that’s a very good idea.

Hi,

I’m panicking a little at the moment.

I configured DNS properly, i disabled proxying and i changed my name servers on the registrar but i completly forgot to disable DNSSEC before to change the name servers…

What can i do to avoid problems??

Disable DNSSEC or update the DS record at your registrar with the value provided by Cloudflare.

It seems to have been disabled automaticaly at the registrar. It’s disabled now.

If i go to my registrar now, in the DS Records settings (i was using french language and needed to login/logout) i see 4 DS records.

Do i need to delete them all and to add the one provided by Cloudflare?

I added the one from cloudflare on the registrar DS but i see the 4 other records + the one i just added.

Sorry for the question bombing here… That’s a stressful process with tons of potential problems but now, everything seems to work fine.

I did a test to proxy one A record that is hosted on a server with a Let’s encrypt certificate and everything seems to work fine.

I will continue my tests before to proxy everything but so far so good for now.

Thanks again for your help!

Ideally, you would remove the additional DS records, but they don’t “hurt” you as such, they just make things slower.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.