CF is set for just DNS (no proxy) and has a CNAME pointing to the Fortiweb record but we’re still getting SSL errors
What steps have you taken to resolve the issue?
Wildcard cert is installed on both Fortiweb and Web Server.
CF is set to not proxy (DNS only)
SSL Encryption Mode on the primary domain (jfd.dev) is set to Custom > Full
If you set hosts file to bypass CF and hit the FW the site is visible so issue feels like it lies in CF
What feature, service or problem is this related to?
As you are set to “DNS only”, it’s not a Cloudflare issue as requests are going direct to your origin. You will need to check why SSL is not working on your origin.
Does this have any effect if it’s a wildcard cert? I understand this might be further down the request but if we’re using a wildcard cert (on a sub-domain) are there any other considerations?
Having a certificate issued does nothing if it’s not served during the request.
And if the requst for a specific hostname isn’t going through Cloudflare Proxy, Cloudflare can’t serve any SSL certificate for that hostname in question.
So, no, having a Cloudflare wildcard cert issued for *.example.com can’t affect foo.example.com that’s DNS Only (). Likewise, Cloudflare can’t play any role when serving your own wildcard on your origin server for an unproxied hostname.
By the way, the URL you provided works for me now, with a Sectigo certificate.
As mentioned above, the DNS record for bahrain-select-6-staging.jfd.dev is not proxied so requests are not passing through Cloudflare therefore your Cloudflare settings don’t do anything for that subdomain. Your apex, www and wildcard records are proxied though so requests to those do pass through Cloudflare and any changes you make affect those… https://cf.sjr.dev/tools/check?0e5512f9a00a4edf8f3fd8dbecb4b625#dns
). Likewise, Cloudflare can’t play any role when serving your own wildcard on your origin server for an unproxied hostname.