Second Level sub-domain not working with Full SSL Strict

I have generated an Origin Certificate from Cloudflare and installed in Azure Kubernetes. I also have purchased Advanced Certificate manager and then enable “Full SSL Strict”, now it is showing 526 error with second level domains.

Note1: “Full SSL Strict” is working with first level subdomain e.g but not working with second level subdomain e.g.

Note2: “Full SSL” is working with both first level sub-domain e.g and second level sub-domain e.g.

error message: Invalid host

Please help me.

Perhaps this certificate only covers and * It needs to cover and * (or if you’re not planning on having more subdomains).

The Full setting works because it doesn’t care whether the origin certificate is valid or not - which makes it insecure. The Full (strict) setting is secure but causes this error if the origin certificate doesn’t cover the requested (sub)domain.

1 Like

Thank you albert for the quick response.

I have Advanced Certificate Manager but I don’t know why it is not working

That’s not an ACM problem. You’d see a browser error if that were the case. This is an origin cert problem.


Like sdayman said, the issue is with the connection between Cloudflare and your origin.
Advanced Certificate Manager is only used between Cloudflare and the client.

As I mentioned earlier, the Origin Certificate you’re using most likely doesn’t cover You should generate a new Origin Certificate in the Cloudflare dashboard - this one should cover and *


Thank you sdyman

1 Like

Thank you albert.

I will generate a new origin certificate and try again

Hi @albert - I generated a new origin certificate as you suggested and enable the “full SSL Strict” but not working. Same error.

For the moment, toggle the ‘calculator’ sub-subdomain to :grey: DNS Only, then wait five minutes to take effect.

Check back with your browser. It should still throw an error due to it being an origin certificate, but it should still let you see what certificate is there. Browsers usually have an “Advanced” button to click to respond to the error.

You can also try a curl against the origin:
curl -svo /dev/null --connect-to :: 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

Just make sure the IP address matches the one in your DNS records page here.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.