I moved a new domain (transport-nantes.com) to Cloudflare yesterday. Www works fine, www.beta does not. Reading here, I understand this is because Cloudflare generates a single *.transport-nantes.com certificate. I confirm this:
I suppose this is easier, but why is this a good idea? SSL certificate generation has near-zero marginal cost and generating wildcard certificates only increases risk in case of certificate theft, no?
In addition, the strategy means that my subdomain broke, which was unexpected and wasn’t signaled on the DNS transfer dashboard.
The case in point was www.beta.transport-nantes.com (currently not being cached by Cloudflare to avoid SSL issues). We could just rename that host, it’s clearly for internal more than external use. The underlying host lives in another domain.
We set this host in Cloudflare as a CNAME called www.beta pointing to beta.transport-nantes.com (which is an A record, which points to the underlying host nantes-4.p27.eu, which has rDNS back to nantes-4.p27.eu).
So maybe the right thing to do (if we wanted to preserve the name www.beta.transport-nantes.com) was to make a new domain called beta.transport-nantes.com and in that domain make a record for @ and www. Other DNS providers have gotten us in the habit of lazily creating the name www.beta for things like this.
As I said, the easiest thing for us to do is probably just to rename this one host. But I’m still curious (1) what we should have done and (2) why wildcard certificates are still a good idea in an age where certificates bear the cost of calculating their pub/priv key pair and that’s about it.