What CN or SAN should SSL certificate in origin contain for Full (strict) SSL mode to work

Hi, I want to enable SSL mode to Full (strict) where the origin is service in AWS. Based on docs There are three things that origin certificate must support:

Unexpired, meaning the certificate notBeforeDate < now() < notAfterDate.

Default aws certificate renews itself by default

Issued by a publicly trusted certificate authority or Cloudflare’s Origin CA.

AWS is listed as trusted certificate authority

Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.

I am not sure about this last requirement, following diagram presents the request path from user to the target service:

Docs says that origin certificate (in this case the one located in AWS Load Balancer) should matche the requested or target hostname. What is requested and target hostname?

My understanding is as follows:

  • requested hostname - one in Host header - this will not match as my-site.com does not match *.aws.com
  • target hostname - one from CNAME proxy target, which in this case is my-site.aws.com and this should match *.aws.com

What in overall means that cert located in AWS Load Balancer should be considered as valid. Please let me know if what I wrote is correct or this will work a bit differently

Your setup will be all right because of the validation exception that Cloudflare applies for CNAME records.

Typically, the certificate validation works in the same way as a browser would validate a certificate and it needs to have been issued for your domain. If that was not the case the validation would certainly fail, just as it is supposed to.

CNAMEs are an exception in this case, however, as Cloudflare will accept a certificate with their hostnames as well.

So, in your case, the hostname that will be sent will be www.my-site.com and that is what the certificate usually would need to be issued to, but as you configured a CNAME record for that aws.com hostname, Cloudflare will equally accept a certificate for that hostname and as Amazon appears to present a certificate issued to *.aws.com that should work just fine.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.