It seems that Cloudflare proxy occasionally works for sub subdomains (*.subdomain.domain.tld), but other times it doesn’t work? I have something running over at render.com which has a custom domain of something.sub.domain.tld and is being properly proxied through Cloudflare, however if I host the exact same application of Railway.app (which is ultimately what I want to end up using), it fails if I used the domain name something-else.sub.domain.tld. Any ideas why?
From CF’s CT logs, it seems that CF is issuing individual SSL certificates for each subdomain that is being proxied, from what I can tell.
Is this a Cloudflare issue that’s preventing it from working with Railway.app or is this a Railway.app issue that doesn’t work since it works with render.com? It did work with railway.app for some amount of time but it’s not working anymore and I’m getting a Cipher Mismatch error, so clearly it should work, but something broke it at some point since it’s not currently working.
It won’t work with HTTPS, as Cloudflare does not currently support issuing certificates for 4th-level subdomains. You would have to pay for Advanced Certificate Manager, which as I understand it will let you do this, though I haven’t tried it.
See, that’s what I thought too, however I’ve had a situation prove me wrong. I created an application over on render, set up a custom domain for that for a 2nd level subdomain (something.sub.domain.tld) and then proxy it through Cloudflare and then have Cloudflare auto issue an SSL certificate for that domain even though technically it’s not supported. I have the CT logs to prove that CF is creating those SSL certificates through LE. It’s properly proxied through Cloudflare (Inspect Element->Network->server: Cloudflare) using that 2nd level subdomain.
Or am I just misunderstanding what’s happening in that situation? To me, it seems like it’s proxied through Cloudflare with Cloudflare issuing 2nd level subdomain SSL certificates.
I also eventually figured out what’s happening with my app on railway, it wasn’t being proxied by Cloudflare when it looked like it was. Proxying through Cloudflare there didn’t work (which is what should’ve happened, except clearly there’s something going on to allow 2nd level subdomains to be proxied without paying for ACM)
Edit:
Proof of Concept that it actually works: https://prnt.sc/QNgiPHVe6y7G
It’s a second level subdomain, being proxied through Cloudflare with a LE SSL certificate that was issued because it’s being proxied through CF.
When you use your custom hostname with their service you are creating a CNAME set to DNS Only. This is key because Render is also using Cloudflare. Your Cloudflare account is not being issued the certificate. It is being issued to their Cloudflare for SaaS account following verification.
It is possible to procure certificates for hostnames beyond the subdomain with the appropriate subscription. See the Cloudflare documentation for details.
I understand this will probably come off as me looking for an answer that satisfies my original idea, but I’m just trying to understand this better.
When you use your custom hostname with their service you are creating a CNAME set to DNS Only. This is key because Render is also using Cloudflare. Your Cloudflare account is not being issued the certificate. It is being issued to their Cloudflare for SaaS account following verification.
I read through Render’s Docs (didn’t before, but just did now), and I didn’t see that latter part about the LE Certificate being issued to their CF for SaaS account. I’m guessing that I would still be getting Certificate Transparency notifications even if it wasn’t issued to my account since CT logs are public for a domain name?
Also, I don’t know if it makes a difference but, in my case, the CNAME record was proxied in Cloudflare on my end, not set to DNS Only. That was the part I was most confused about since it works properly on railway if I’m not proxying the CNAME record.
Since you got it working with Render, you would have had to have had it set to at some point, even if you switched it to later. Hostname priority would then come in to play.
Correct. Because your account will not be able to obtain a certificate that deep without adding an appropriate subscription.
Since you got it working with Render, you would have had to have had it set to at some point, even if you switched it to later. Hostname priority would then come in to play.
I don’t know what to say other than I did not. I created the CNAME record as a proxied record from the start and I just waited maybe 5 minutes and it all just worked. I honestly didn’t read their docs since the button was there and using a proxied record just worked from the get-go.
So, what I’m getting is that Render uses CF for SaaS and thus they get issued SSL certificates for their customers’ services that are proxied through CF and CF uses those certificates to enable proxying, even though Render’s own docs technically doesn’t support that use case?
I don’t know enough about the Cloudflare for SaaS validation process to know if it can work in an orange to orange scenario. I know that any validation that that depends on the presence of a CNAME RR will fail on CNAME records because they are published as A and AAAA records. That results in explicit CNAME queries failing.
Either way, you are probably best to not proxy when pointing to a Cloudflare for SaaS partner. If you want your own Cloudflare edge certificates for deeper level hostnames that are point to your own origin resources, you will need to have a qualifying subscription on the domain.
DNS Only. This is key because Render is also using Cloudflare. Your Cloudflare account is not being issued the certificate. It is being issued to their Cloudflare for SaaS account following verification.
later. Hostname priority would then come in to play.