SSL for SaaS handshake issue

We are trying to leverage Custom Domain feature to offload SSL certificate which mentioned in article

As mentioned in article we are pointing customer’s domain ( to fallback domain ( This fallback domain is pointing to our nginx proxy.

Customer’s custom certificate is generated and traffic is pointing to nginx proxy but cloudflare is doing SSL handshake on Customer’s domain which i was expecting it would do on Fallback Domain. If that is the scenario then we again have to maintain custom domain certificate in nginx proxy as well. Is this how it suppose to work or am i doing something wrong.

I think you’re skipping a step. There should be a Fallback hostname, and then you also need a CNAME that points to it. That CNAME is what you point your client to: (or some other hostname of your choice, including wildcard) → :orange:

Sorry to hijack this thread, but I’m struggling with something similar:

@sdayman : Can the CNAME point to an AWS Cloudfront CNAME (which is in front of an S3 bucket)? If so, is it sufficient to have a * wildcard cert issued by Amazon in the Cloudfront settings? I keep getting
525 SSL handshake failed”, just like described in this issue: SSL for SaaS with cloudfront fails SSL handshake

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.