What is the best way to handle this (multiple subdomains, SSL)?

ssl

#1

My infrastructure is like this:

  • Main domain name, nothing hosted on it: example.com
  • API/services domain names: *.api.example.com
  • Staging/testing domain names: *.srv.example.com

All of these are secured with HTTP/2 and HSTS.

I updated example.com’s nameservers to CloudFlare’s nameservers, but I had SSL issues, which forced me to set the old nameservers back in place. The issue was essentially the browser stating that SSL was not configured properly.

How do I go about leveraging CloudFlare with this infrastructure? Do I need to create an account for each subdomain (*.api.example.com and *.srv.example.com)? How would I manage DNS with that, when traditionally a domain name has all of its subdomains managed under one account at just about every other DNS provider or registrar?

Also, if I set SSL Strict Mode, would it use my own SSL certs or still use CloudFlare’s?


#2

The free SSL certificates only match a single level of subdomains.

If you want SSL for a second or deeper level of subdomains, you will need to upload your own or purchase a dedicated certificate with custom hostnames.


#3

Does CloudFlare support uploading multiple SSL certificates? One for *.api.example.com and *.srv.example.com?


#4

for $10/month you can order a certificate with up to 50 custom hostnames and wildcards (like *.api.example.com). To upload your own you must be on a business plan.


#5

So I could have have two custom SSL certs with wildcards? One for *.api.example.com and one for *.srv.example.com? Would just one of these certificates be able to handle both of these wildcard sub-subdomains?


#6

You can have just one dedicated certificate covering *.api.example.com and *.srv.example.com


#7

Would you guys know why I get this error when attempting to buy the cert recommended?

I currently do not have the domain’s nameservers pointing to CF. Could this be why? I’m reluctant to make the change without total certainty, given that it took down several services yesterday when I attempted the move.


#8

Yes, the DNS needs to point to Cloudflare to verify you own the domain. What you can do is temporarily make all DNS records grey clouds :grey: so that it still points to your origin server, and gradually change records to :orange: as you test their functionality with Cloudflare.


#9

Just to confirm, would CF attempt to place its own SSL certs in front of these domains when they are grey clouds? If not, then I at least know I can change the nameservers again, grey cloud everything, purchase the SSL certs, then start changing them to the colored clouds.


#10

if it’s grey cloud, it points directly to your origin server, so CF won’t changing SSL or do any DDOS protection until they’re orange clouded.