Warning Sign for A Record of Added Subdomain

BACKGROUND:

I created a “login” subdomain for one of my domain names hosted at DreamHost and accessed my Cloudflare account to create two A records with “login” and “www.login” as hostnames respectively. The type of Let’s Encrypt certificate offered by DreamHost is not a wildcard and only covers the domain root. Therefore, we have to request an SSL certificate again for any subdomain added to our hosting plan. However, before attempting to add Let’s Encrypt we must ensure that the A records are on a “DNS Only” proxy status. Otherwise, DreamHost declines the creation of the SSL certificate for the subdomain. At the end of the process the certificate was successfully created. For the record, the encryption mode is set to FULL (Strict).

QUERIED EVENT:

As shown by the red arrows in the attached screenshot, once the certificate was added, I went back to Cloudflare and changed the proxy status of both A records from “DNS Only” to “Proxied”. After having changed the proxy status, Cloudflare generated a warning message stating that the “www.login" record exposes the IP address used in the A record on “login”. I contacted DreamHost and they told me I can disregard the warning because a search at “whatsmydns-dot-net” showed that the subdomain was propagated without any problem. Anyway, they also told me I am free to contact Cloudflare to get another opinion on this issue. This is what I am doing right now.

I would be grateful if anyone of Cloudflare community support could be kind enough to provide a feedback regarding the aforementioned warning sign.

The warning may go away when you refresh the dashboard. If all records pointing to the 173.236.x.x IP address are proxied, there should be no problem. That warning should only appear on unproxied records where it is also used for proxied ones.

However you should note that www.login is a second-level subdomain and Cloudflare’s Universal SSL only covers the apex domain and first-level subdomains (example.com and *.example.com). To use a Cloudflare edge SSL certificate for www.login.example.com you would need to use an Advanced Certificate…

2 Likes

Thank you very much for your feedback and for the reminder regarding the need of an Advanced Certificate to cover the second level subdomain. This is a relevant issue to bear in mind in order to strengthen the security of second level subdomains.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.