Wildcard subdomains with custom certificate not working

I am having an issue getting cloudflare to cover the subdomains at *.bearblog.dev automatically (without adding CNAME records for each of the subdomains).

This is a multi-tenant system with user content at eg: datadiaries.bearblog.dev, herman.bearblog.dev, etc

According to this issue ordering an Advanced Edge certificate would allow me to have a wildcard subdomain proxy through the CDN, but I can’t seem to get it to work and the “*” CNAME record is still just DNS only.

Please advise.

The ability of CF ACM certificates to cover *.domain.com wildcard is not the same as the CF DNS supporting proxied wildcard *.domain.com DNS records. CF free, pro, biz plan DNS doesn’t support wildcard *.domain.com DNS proxied records as per https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-DoesCloudflaresupportwildcardDNSentries. Only CF Enterprise plan’s support DNS wildcard proxied DNS entries.

Does Cloudflare support wildcard DNS entries?

Cloudflare supports the wildcard ‘*’ record for DNS management in all customer plans. Enterprise customers get full proxy support for wildcard records.

Free, Pro and Business plans

Cloudflare does not proxy wildcard records; therefore, wildcard subdomains are served directly without any Cloudflare performance, security, or apps. As a result, Wildcard domains get no cloud (orange or grey) in the Cloudflare DNS app. If you are adding a * CNAME or A Record, you need to make sure the record is grey clouded in order for the record to be created.

To get Cloudflare protection on a wildcard subdomain (for example: www), you need to define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNSapp. In this example, you would add “www” as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare’s proxy is enabled.

Cloudflare Enterprise customers can proxy wildcard records. To learn more about the Enterprise plan, contact us.

Wildcards are only valid in the left-most subdomain label. For example, it’s not possible to add sub.*.example.com, but it’s possible to add *.sub.example.com.

So you can issue a ACM wildcard SSL certificate, but your DNS hostname entries need to be specifically entered i.e. sub1.domain.com and sub2.domain.com. Then CF will serve both with the ACM wildcard SSL certificate.

If you need to automate it, you can at user subdomain creation time, issue a call to CF API to add the DNS zone record https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record

Thanks for the response. I was doing this for a while but was going to hit the record cap (either 1000 or 3500). I think I’m going to do something like automate adding the high traffic subdomains via the API, and if things get hairy in the future perhaps consider enterprise.

Thanks again

In that case you may need SSL fo SaaS providers https://www.cloudflare.com/ssl-for-saas-providers/

Or just Enterprise plan for DNS wildcard proxying

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.