SSL Certificate Expiration Dates, Issuers, and "Full (Strict)" Setting

When you say “whatever”, you do mean “whatever” as a general term/example as part of the wildcard DNS record/certificate and not “whatever” as in a dedicated/separate DNS record/certificiate, right?

I mean “whatever” as in an arbitrary subdomain.

1 Like

So basically this won’t work without messing around on Proton’s side? Is it worth trying it do you think? :thinking:

I’m concerned that the Common Name might change the next time they issue a new certificate. It varies sometimes.

Probably not. For many shared hosting providers, part of their business is charging for each (sub)domain users want to add. I have not yet seen any hosting provider that accepts wildcard domains.

1 Like

Okay. In that case, I’ll leave it set to “Full”.

Put it this way, using Cloudflare as a nameserver with my domain and enabling all of the security features they have is much better than solely using Google Domains as a nameserver like I was before.

More security is better, even if it’s not strictly full. (Pun intended, lol).

Thanks for your help. Have a great day. :slight_smile:

1 Like

I might use a Configuration Rule to exclude the wildcard from “Full (Strict)” which I imagine should work.

Never thought of this until now.

If I do it like this:

If hostname is *, then disable “Full (Strict)”.

It will probably include all subdomains that have their own dedicated DNS record, which I obviously won’t want. ONLY subdomains that resolve to the * should be included in that Configuration Rule. Not too sure how to specify this in the Rule.

Added all current DNS values to a Configuration Rule as per this comment.

“Full (Strict)” should now be enabled for everything but the wildcard.

Is there a way to check?

Just as information, if you don’t use Full Strict, your site is not secure.

Surely if the origin cert is valid, and the Cloudflare cert is valid and it’s set to full, then it’s secure?

I understand that if the origin cert was invalid but the Cloudflare one is valid, then that’s insecure.

I don’t understand why it’s called “Full” if it’s not really full. Seems very stupid and a dumb choice to me.

It’s not secure because you disabled certificate validation, hence the validity of the certificate is irrelevant. If you want a secure site, it needs to be Full Strict.

As for why Cloudflare called it like that, marketing, simple as that.

That is very stupid.


1 Like

I’ll explain how I’ve set this up, as I am very confused about something and I’ve been thinking about it for over an hour now and I can’t wrap my head around it.

I have created a Configuration rule. This is what it looks like:

My primary setting is this:

My DNS looks like this:

So if it doesn’t match any of the records I’ve added, it’ll set it to Full, by the Configuration Rule.
Otherwise, it sets it to Full Strict, by the primary setting.

So in theory, Full Strict should be off for the wildcard and on for everything else. Right? There doesn’t seem to be a way to check this without going by whatever I’ve set up. There’s no “Tester” for it.

If I were to set up a new website on a new subdomain, say through Google Sites (which provides valid SSL, so would be fine with Full Strict - I think), would I need to add it to my Configuration Rule or not? What SSL setting would it be set to if I didn’t modify anything?

Please can someone clarify this?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.