What CN or SAN should SSL certificate in origin contain for Full (strict) SSL mode to work

PawelKlapsa · December 22, 2021, 12:15pm

Hi, I want to enable SSL mode to Full (strict) where the origin is service in AWS. Based on docs There are three things that origin certificate must support:

Unexpired, meaning the certificate notBeforeDate < now() < notAfterDate.

Default aws certificate renews itself by default

Issued by a publicly trusted certificate authority or Cloudflare’s Origin CA.

AWS is listed as trusted certificate authority

Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.

I am not sure about this last requirement, following diagram presents the request path from user to the target service:

Docs says that origin certificate (in this case the one located in AWS Load Balancer) should matche the requested or target hostname. What is requested and target hostname?

My understanding is as follows:

requested hostname - one in Host header - this will not match as my-site.com does not match *.aws.com
target hostname - one from CNAME proxy target, which in this case is my-site.aws.com and this should match *.aws.com

What in overall means that cert located in AWS Load Balancer should be considered as valid. Please let me know if what I wrote is correct or this will work a bit differently

sandro · December 22, 2021, 12:25pm

Your setup will be all right because of the validation exception that Cloudflare applies for CNAME records.

Typically, the certificate validation works in the same way as a browser would validate a certificate and it needs to have been issued for your domain. If that was not the case the validation would certainly fail, just as it is supposed to.

CNAMEs are an exception in this case, however, as Cloudflare will accept a certificate with their hostnames as well.

So, in your case, the hostname that will be sent will be www.my-site.com and that is what the certificate usually would need to be issued to, but as you configured a CNAME record for that aws.com hostname, Cloudflare will equally accept a certificate for that hostname and as Amazon appears to present a certificate issued to *.aws.com that should work just fine.

system · December 25, 2021, 12:26pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Origin Certificate with Custom Hostname Security	3	2364	July 10, 2022
Certificate - Origin server different fqdn to DNS Security	10	3153	April 20, 2021
TLS Full mode with Custom Hostname not working (SSL error) Security	2	727	August 15, 2023
Custom hostnames with Strict SSL DNS & Network	1	1538	May 17, 2022
Cant add certification SSl in my website Security	24	2460	November 15, 2020

What CN or SAN should SSL certificate in origin contain for Full (strict) SSL mode to work

Related topics