SSL for SaaS handshake issue

We are trying to leverage Custom Domain feature to offload SSL certificate which mentioned in article
https://developers.cloudflare.com/ssl/ssl-for-saas/getting-started

As mentioned in article we are pointing customer’s domain (customer.example.com) to fallback domain (fallback.company.com). This fallback domain is pointing to our nginx proxy.

Customer’s custom certificate is generated and traffic is pointing to nginx proxy but cloudflare is doing SSL handshake on Customer’s domain which i was expecting it would do on Fallback Domain. If that is the scenario then we again have to maintain custom domain certificate in nginx proxy as well. Is this how it suppose to work or am i doing something wrong.

I think you’re skipping a step. There should be a Fallback hostname, and then you also need a CNAME that points to it. That CNAME is what you point your client to:

customer.example.com:grey: customer.company.com (or some other hostname of your choice, including wildcard) → :orange: fallback.company.com

Sorry to hijack this thread, but I’m struggling with something similar:

@sdayman : Can the fallback.company.com CNAME point to an AWS Cloudfront CNAME (which is in front of an S3 bucket)? If so, is it sufficient to have a *.company.com wildcard cert issued by Amazon in the Cloudfront settings? I keep getting
525 SSL handshake failed”, just like described in this issue: SSL for SaaS with cloudfront fails SSL handshake

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.