Universal SSL but cannot route though Cloudflare

I’m really confused on how I can use wildcard SSL certificates in the free account. In older articles it states that only Enterprise accounts are able to have wildcard SSL certificates, yet I see this within my account:

To me, it clearly states that I can request a free certificate for *.domain.com - but how am I supposed to use it if I cannot route *.domain.com through Cloudflare?

Update: I did not mark this as a solution, as it still not clear. See my second post.

Being able to issue wildcard SSL certificates and being able to Cloudflare orange cloud enable proxy the actual wildcard DNS entry are 2 separate things on Cloudflare Free, Pro and Business plans. You can issue a wildcard SSL certificate and use that SSL cert on any DNS record i.e. subdomains behind CF orange cloud proxy. But you can’t actually proxy the *.domain.com wildcard itself unless you’re on Cloudflare Enterprise plan.

As such on Cloudflare Free, Pro and Business plans you need to have a specific subdomain DNS record added rather than a single *.domain.com wildcard DNS entry.

So if you added

sub1.domain.com
sub2.domain.com
sub3.domain.com

to DNS records, they will all be served from wildcard SSL certificate that covers *.domain.com and can be CF orange cloud proxied for each subdomain.

Ok, so just to be clear: I am not able to use a wildcard certificate for “*”, only for specific, manually (or via API) created subdomains such as “sub1” this would be possible?

Then this just confuses me even more: https://v1.dynqr.codes/customers/v1/public/
This is a different account (not mine, but I have access to it) which does exactly what I need. If you inspect the certificate, you’ll see it’s “sni.cloudflaressl.com”. But this account is also free and the “v1” is not defined specifically, it just works with the “*” DNS entry.

Cloudflare gives you a certificate for example.com. It includes *.example.com which will include that first level subdomain, like ‘www’, ‘blog’, ‘v1’, etc. So it’s available if you proxy the naked domain, or any first level subdomain.

So it’s available if you proxy the naked domain, or any first level subdomain.

But as eva2000 said, this will only work for subdomains that are created manually, right? So basically “*” is not working for subdomains that were not created as an A record? Because this config is not working for “dynamic” first-level subdomains.

Hi @ivy.mayhem,

Windward DNS records are currently only available on the Enterprise plan, unless you don’t want them proxied by Cloudflare.

@domjh I don’t want them proxied by Cloudflare - but I need them to have a valid SSL certificate, preferably though Cloudflare. Is this even possible without an Enterprise plan? When I check the SSL/TLS section, there is a certificate for * domains. But I’m starting to think that * does not mean * at all, but just for manually created subdomains.

If they are not proxied through Cloudflare, then the edge certificates there don’t have any effect. It does cover all first level subdomains, but those certificates are only served when a site is proxied.

When you proxy traffic through Cloudflare, the first part of the connection, between the visitor and Cloudflare, is encrypted with the edge certificate (so that is what the visitor sees), and the second part needs a certificate on the server to secure it (between Cloudflare and the server).

If you turn off the proxy (or can’t enable it, as for wildcards), the visitor will connect directly to the server, so the certificates will need to be dealt with there.

2 Likes