Multi-level subdomain wild card with advanced certificate and total TLS

Hi - I am considering to buy the advanced certificate and move out of universal SSL to enable wildcard for second level subdomain. I have many second level subdomain that require wild card SSL support eg.
I understand I have to issue advanced dedicated SSL which will allow me to add upto 50 Sans (2 SAN for each subdomain including wildcard) so around 25 second level subdomain with their wild cards can be supported with out CIPHER/unsupported protocol error

I understand Total-TLS i can choose lets encrypt so all the second level subdomain i create with wild card will be automaticaly protected.

The current workaround i have is for all the second level subdomain that require wild card i am using DNS only (no proxy) so the wild card SSL is working fine… and for second level subdomains that do not require wildcard support i am using proxy. This workaround is working fine although i am missing out on the security, cache benefits of CF proxy for the wildcaerd second level subdomains.

So before switching to Advanced Certificate wanted the confirmation from experts that the above set up will not break up my sites and make them inaccessible if i switch to advanced certficate.

Answer these questions to help the Community help you with Security questions.

What error message or number are you receiving?

The connection for this site is not secure

abc1[dot]page[dot]topdomain[dot]co uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What steps have you taken to resolve the issue?

  1. I have now removed the Proxy, and using DNS Only for second level subdomain - abc1[dot]page[dot]topdomain[dot]co and *[dot]page[dot]topdomain[dot]co
  2. I have lets encrypt issued at the origin
  3. So wildcards at second level are working fine

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

Answer these questions to help the Community help you with Security questions.

What is the domain name?
Confidential

Have you searched for an answer?
Yes

Please share your search results url:
[Origin Certificates and Subdomains - Website, Application, Performance / Security - Cloudflare Community]
[Trouble with Multi-Level Subdomain DNS - Website, Application, Performance / DNS & Network - Cloudflare Community]
[Use a second-level sub domains with ssl - Website, Application, Performance / Security - Cloudflare Community]

When you tested your domain, what were the results?
CIPHER-ERROR ; UNSUPPORTED PROTOCOL

The connection for this site is not secure

abc1[dot]page[dot]topdomain[dot]co uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Describe the issue you are having:

The connection for this site is not secure

abc1[dot]page[dot]topdomain[dot]co uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What error message or number are you receiving?

The connection for this site is not secure

abc1[dot]page[dot]topdomain[dot]co uses an unsupported protocol.ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What steps have you taken to resolve the issue?

  1. I have now removed the Proxy, and using DNS Only for second level subdomain
  2. I have lets encrypt issued at the origin
  3. So wildcards at second level are working fine

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

Hello @ oliveearthdigital

Switching to an Advanced Certificate should not disrupt your setup. Advanced Certificates include wildcard support for the first level beneath the domain (like “xxxx.DOMAIN.TLD”). However, to secure more hostnames including second level subdomains, you may need to employ Dedicated SSL with custom hostnames.

Please ensure to add your wildcard second level subdomains as SANs in your certificate. Lastly, remember Cloudflare only supports wildcard DNS entries for grey-clouded (DNS-only) records.

Regards,

1 Like

thanks for your reply.

I will test it out.

How ever if something goes wrong with advanced SSL or I dont get the right output, can i switch back to universal SSL?
Is there a risk that it will make my current sites unreachable?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.