SSL wildcard - very confused

wildcard

#1

We are looking to move over our whole platform from x4b to Cloudflare and I know wildcard DNS entries are only supported for Enterprise account but that is far out of our budget so I’m ok the DDOS protection is not there for the wildcard entry but I do need the SSL to work.

We’re currently testing the setup with Cloudflare using our staging domain.

Under ‘Edge certificates’ it says:
kyvio. site, *.kyvio.site (2 hosts)

Which would indicate to me that Cloudflare is covering both of those?
https ://kyvio. site works fine (cloudflare SSL cert)
but
https // main.kyvio. site (or https ://test4.kyvio. site) does not work at all.

Now I think buying a certificate for like $10 a month would solve this?
But then the question is: I also need SSL to work for CNAME’d domains from our users (www. customdomain. com -> CNAME -> site. kyvio. site), would that work?

So in short:

  • we need SSL on *.kyvio. site (we also do have our own custom wildcard cert but fine with buying the service from CF)
  • support for httpS:// www. customdomain.com -> CNAME -> site. kyvio. site

Thank you!


#2

DDoS and SSL would go in this context hand in hand. Cloudflare generally supports wildcards but not proxied ones. Hence such a record would point straight to your server. If your certificate there covers the wildcard it will work.

No, because you still couldnt proxy it through Cloudflare.

That is supported, even out-of-the-box with a free account, but only in an SSL context. For DNS wildcards you still need an Enterprise account or set up each record individually.

Which domain would be on Cloudflare in this case?

Your best bet might be to contact sales at https://www.cloudflare.com/plans/enterprise/contact/ and discuss possible options.


#3

Thank you for your reply Sandro!

" support for httpS:// www. customdomain. com -> CNAME -> site. kyvio. site"
The domain (somesite).kyvio.site would be covered by the wildcard in this case…

We can tell our users to use CF for their domain too; but would prefer not to enforce that.

As for enterprise; I’m fine paying up to few hundred dollars a month if it would gives us cdn/ddos protection for the wildcard + ssl support as we need it but afaik Enterprise packages start at $5k a month which is just completely out of our budget :(.

Will try it though.


#4

That would not work, as the other domain would resolve to Cloudflare without Cloudflare knowing about it or what to do with it.

That would be required however, even though there might be still a problem when you point a Cloudflare domain to another one but sales should be the best contact for that question.

That is somewhat correct, but maybe a partner setup might also be an option for you. It really is best to contact sales as they should know what they can offer that would match your needs.