UI could indicate Universal SSL doesn't work for third-level subdomains

Ran into this issue again where Universal SSL doesn’t work for third-level subdomains (abc.xyz.domain.tld) and when testing all the browser says is SSL error.

The UI could make this limitations more obvious, like how it does for non-proxied records and it says the origin IP is exposed.

The Dashboard quite clearly shows that the certificate is for *.example.com and example.com.

What is it that you’d like it to say?

1 Like

DNS page could put an exclamation icon next to the cloud-ed record to point out an SSL cert doesn’t cover it. Banner at the top could point out SSL cert isn’t applying to some records, similar to the SPF/DMARC missing banners. That way it’s pointed out ASAP to the admin.

I’m only seeing *.example.com in the SSL/TLS > Edge Certificates area.

To those of us in the know on SSL certs, we should recognize that *.example.com doesn’t apply to third-level subdomains… but that also doesn’t mean Cloudflare isn’t technically able to create wildcard/SANs for the additional records.

It’s just one of those Cloudflare gotchas that the UI doesn’t point out when it’s helpful, like BFM not being bypass-able with page rules or mTLS.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.