Uploading a cloudflare certificate to pythonanywhere

I have a CNAME record pointing to my webapp hosted in Pythonanywhere. This CNAME is a second-level subdomain: pfm.v0.genify.ai. The root domain (genify.ai) is a react website hosted in cloudflare using a cloudflare worker. Therefore, I have an AAAA of name genify.ai pointing to 100::

The root website is secured using a cloudflare SSL certificate. Its encryption mode is Full (strict). The genify.ai website works fine with https.

To secure pfm.v0.genify.ai, I first purchased a dedicated certificate with custom hostname (required for multi-level subdomains), then I followed https://help.pythonanywhere.com/pages/HTTPSCustomCerts: in summary, I’ve created a certificate signing request with domain “pfm.v0.genify.ai” and a private key, I uploaded the CSR to cloudflare, cloudflare returned me a certificate which I uploaded to pythonanywhere).

This is the error obtained in pythonanywhere:

Mismatch between certificate Common Name (CloudFlare Origin Certificate) and webapp (pfm.v0.genify.ai)

  • It doesn’t work: when trying to access my webapp, I get either ERR_SSL_VERSION_OR_CIPHER_MISMATCH or ERR_CONNECTION_TIMED_OUT. How to solve it? Is upgrading to Enterprise the only solution?

  • Did someone get a similar issue using AWS instead of Pythonanywhere and how did he/she solved it?

  • When creating the CSR, I set the common name to pfm.v0.genify.ai. Why does Pythonanywhere reports that the common name is “CloudFlare Origin Certificate”?

  • Last but not least: would hosting my app on a new cloudflare worker solve this problem?

Thanks in advance!

This won’t be related to the origin certificate but the proxy certificate is already the issue as that hostname is one level too deep.

You’ll need the $10 a month ACM certificate to cover such levels as well. Otherwise you could also unproxy the record. In that case you won’t be using the proxies however but you can use Lets Encrypt for example.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.