Using Full (strict) SSL mode with SSL for SaaS

I'm trying to wrap my head around how SSL for SaaS is supposed to work...

Trying to set up Cloudflare (with SSL for SaaS) in front of an AKS cluster. I have a main domain, that customers in my SaaS platform can use. They can also setup their own vanity domains, like, and use that instead.

I've got the current setup:

- Partial CNAME setup in Cloudflare for
- CNAME record in AWS for ->
- CNAME record in Cloudflare for ->
- CNAME record in AWS for -> (vanity url for customers)
- Fallback Origin in Cloudflare set to
- Custom Hostname in Cloudflare for
- Generated a Cloudflare CA cert for * and using that in the AKS cluster is working, but is giving a "526 Invalid SSL certificate". I'm guessing that is because the cert in AKS is generated for *, but I'm not allowed to generate a cert for (since it's not part of the Cloudflare setup). 

What are my options? Do I have to use Full ("not strict") SSL mode, or what is the recommeneded way of solving this issue?`Preformatted text`

Looks like I accidentally put all of it in a blockquote… :joy: And I guess there’s no edit button? Well, hope you can read it anyway :smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.