I’ve enabled Custom Hostnames for my domain, and added a fallback domain which works correctly when accessed. When I add a new custom domain, and then point that custom domain to my main domain via a
CNAME record, I get a “Invalid SSL Certificate” error when accessing the custom domain.
Any ideas what could be causing this? I’ve attached screenshots of the setup.
Does the SSL certificate on your server cover the hostname you are trying to access?
If you’re using Strict mode, you must ensure that the certificates on your origin contain a Subject Alternative Names (SAN) that matches your customer’s hostname, e.g. support.yourcustomer.site. Our Origin CA product can be used to generate these certificates for use with Strict mode.
If you’re running a SaaS company, you know how important it is that your application is performant, highly available, and hardened against attack.
Hi. Yes, it was issues by LetsEncrypt and includes wildcards.
And it covers your customer’s hostname, not just yours?
As far as I can tell, yes. Is there a way to confirm this 100%?
You could look at the SAN field in the certificate. You can see an example in this offiste article.
You can use the following command if you have curl available (download if not):
curl -v https://customerdomain.com --connect-to ::actual-server-ip.
This will use your customers hostname but bypass the Cloudflare proxy to see the certificate that is actually served to Cloudflare.
Thanks for your help with this, appreciate it!
This is what I get when I curl:
* Connecting to hostname: xxx.xxx.xxx.xxx
* Trying xxx.xxx.xxx.xxx:443...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* error:1404B458:SSL routines:ST_CONNECT:tlsv1 unrecognized name
* Closing connection 0
curl: (35) error:1404B458:SSL routines:ST_CONNECT:tlsv1 unrecognized name
Does this mean the certificate does not cover the customer’s hostname?
Thank you! Managed to find the issue now. Was an Ngnix config issue that was not handling wildcard server names correctly.
For anyone else encountering this while trying to use Laravel Forge to create a server with Cloudflare Custom Hostnames for Saas, you need to update this line in your Nginx config: