SSL for subdomains containing more than 1 word do not work


#1

I have a subdomain setup shop.mydomain.be as an A record, this works ok
cnames eshop.mydomain.be and webshop.mydomain.be also work fine with ssl through cloudflare.
However a cname like www.shop.mydomain.be generates an error in firefox and edge : SSL_ERROR_NO_CYPHER_OVERLAP
greying out the orange cloud to dns only makes this cname work just fine.


#2

Correct. A second-level subdomain isn’t covered by the wildcard certificate. The certificate is valid for example.com and *.example.com. It it not valid for www.*.example.com or *.*.example.com

To go that deep, you’ll need the $10/month Custom Hostname TLS certificate. Then you can add sub-subdomains to the certificate hostname list.


#3

Whilst your URL is a tad unusual this is actually going to become a much more frequently encountered issue. RFC8461 has just been published which necessitates a new subdomain be used to publish a domain’s mail security policy. Anyone using dedicated subdomains for email (which is best practice for things like mailouts) won’t be able it implement it via Cloudflare because the necessary domain, e.g. mta-sts.mailout.example.com, won’t have a valid cert.


#4

oh ok , no problem, people who want to add www before the subdomain can be served directly then, bypassing cf.


#5

RFC8461 seems to be one of the dumber RFCs I’ve read in a while.