Second Level sub-domain not working with Full SSL Strict

I have generated an Origin Certificate from Cloudflare and installed in Azure Kubernetes. I also have purchased Advanced Certificate manager and then enable “Full SSL Strict”, now it is showing 526 error with second level domains.

Note1: “Full SSL Strict” is working with first level subdomain e.g develop.example.com but not working with second level subdomain e.g. calculator.develop.example.com

Note2: “Full SSL” is working with both first level sub-domain e.g develop.example.com and second level sub-domain e.g. calculator.develop.example.com

error message: Invalid host

Please help me.

Perhaps this certificate only covers example.com and *.example.com? It needs to cover develop.example.com and *.develop.example.com (or calculator.develop.example.com if you’re not planning on having more subdomains).

The Full setting works because it doesn’t care whether the origin certificate is valid or not - which makes it insecure. The Full (strict) setting is secure but causes this error if the origin certificate doesn’t cover the requested (sub)domain.

1 Like

Thank you albert for the quick response.

I have Advanced Certificate Manager but I don’t know why it is not working

That’s not an ACM problem. You’d see a browser error if that were the case. This is an origin cert problem.

2 Likes

Like sdayman said, the issue is with the connection between Cloudflare and your origin.
Advanced Certificate Manager is only used between Cloudflare and the client.

As I mentioned earlier, the Origin Certificate you’re using most likely doesn’t cover calculator.develop.example.com. You should generate a new Origin Certificate in the Cloudflare dashboard - this one should cover develop.example.com and *.develop.example.com.

2 Likes

Thank you sdyman

1 Like

Thank you albert.

I will generate a new origin certificate and try again

Hi @albert - I generated a new origin certificate as you suggested and enable the “full SSL Strict” but not working. Same error.

For the moment, toggle the ‘calculator’ sub-subdomain to :grey: DNS Only, then wait five minutes to take effect.

Check back with your browser. It should still throw an error due to it being an origin certificate, but it should still let you see what certificate is there. Browsers usually have an “Advanced” button to click to respond to the error.

You can also try a curl against the origin:
curl -svo /dev/null https://www.example.com --connect-to ::123.123.123.123 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

Just make sure the IP address matches the one in your DNS records page here.