Use a second-level sub domains with ssl

Hi and thanks for helping, I have looked around but can’t find a clear answer to what I need to achieve

currently have which has a few subdomains attached
I purchased my domain through Cloudflare and currently use the example. com and *.example. com SSL certificates it provides.

the current flow of traffic:
browser > Cloudflare (CF) > router > nginx proxy manager (NPM) > service

This is all working fine, NPM splits traffic to the web service and other services (like portainer [currently portainer.example. com]) as needed.
I would like to install teleport so that I can securely access web UI is and admin consoles publicly. The teleport login dashboard would be located on cloud.example. com and each individual Web UI Will have an extension of this [ com].
Traffic would follow this same path as before and NPM will send all requests to [cloud.example. com] and [*.cloud.example. com] to teleport service

The problem I have is the SSL certificate provided by Cloudflare only covers [example. com] and [*example. com]whereas I need it to cover [*.cloud.example. com]. I have used the let’s encrypt feature built into NPN to generate a wildcard certificate for [*.cloud.example. com].

Everything appears to be working however whenever you visit a subdomain of cloud.example. com there is an SSL error.

So obviously I would like to know how to either:
A. Install another certificate on Cloudflare
B. tell it to bypass all traffic for cloud.example. com
I cannot upgrade from the free version of Cloudflare and have considered letting NPM manage all SSL and disabling the Cloudflare SSL (keeping proxy enabled)

Is it possible to do this and what basic steps would I have to go about?

sorry for the long post hope the diagrams help (can only post one at a time) awaiting any responses

This is the error message you get when you try and access:


I also forgot to mention my Cloudflare SSL settings are set to full strict.

You would need to purchase Advanced Certificate Manager to issue these certificates.

This would be done by setting the record to :grey:

This would not work unless you want to connect to Cloudflare over HTTP.


no, I would use the disabled universal SSL option

So this then:

If you disable Universal SSL and do not have an Advanced or Custom certificate then HTTPS will not work.