Total TLS issues

Ever since we have turned on Total TLS, we are having issues with custom hostname cert status validating.

One issue I think is our Total TLS is set to use Let’s Encrypt and we use the same thing for custom hostnames now that digicert is no longer available and we keep getting rate limited. If we try Google trust with the custom hostname the edge cert status sometimes get’s stuck on initializing.

We have just over 2700 edge certs.

Is Total TLS really needed?

If I turn it off for now, will it bring down sites?

Would it be better to use no preference then setting it to let’s encrypt or google trust?

Hi there,

Sorry for the issues you facing.

You do not need to use Total TLS - it is an addtional feature as part of Advanced Certificate Manager that automatically orders an individual certificate for a specific hostname when that hostname is proxied through Cloudflare.

This is useful in the cases where maybe you have multi-level subdomains (eg. dev.test.example.com)

But if you are only using a single level subdomain (test.example.com) - you can just order one ACM certificate that covers (example.com & *.example.com) - and that should be good

If you already have a ACM/Universal Certificate wildcard certificate that covers all your subdomains you can disable Total TLS safely. The main thing to check is that you dont have any hostnames, that are not covered by a *.example.com certificate.

Are you seeing an error about being rate-limited when ordering certificates?
Using no preference when it comes to your certificates may be a good path forward, if you decide to use total TLS going forward.

1 Like

We do have a bunch of mult-leveled domain names which are covered by certs the client buy or we run let’s encrypt and assign a cert that way.

So support has told me before that we are being rate limited duo to to many renewal requests.

Thanks for the info. I guess we will first try and see if no preference makes any difference and then go from there.

You are able to order an Advanced certificate that covers your multi-level subdomains too:

example.com
*.example.com
*.dev.example.com
*.test.example.com

I guess it depending on how often you are adding additional DNS records and new hostnames and how much maintenance that would be to order a new ACM with new hostnames, will determine how useful Total TLS is.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.