With Delegated DCV validation, do I need just the root CNAME or one per each hostname?
If I want to point
site.com, www.site.com and subdomain.site.com to my CF for SaaS (cname.zone.com).
A. Would adding CNAME _acme-challenge be enough for the certs?
B. Would I need 3, _acme-challenge, _acme-challenge.www and _acme-challenge.subdomain?
If www.site.com is currently using a CNAME to somewhere else, would the sequence of steps to minimize downtime...
1. Add the DCV _acme-challenge (or DCVs depending A or B)
2. Add the hostname/s to the Cloudflare Dashboard
3. Wait for Cloudflare Dashboard to say the Certificate is Active
4. (Potentially) add any missing CAA records necessary (although, if it's currently CNAMEing somewhere else, are you even able to add CAA records or not until you change the CNAME on step 6 and it propagates)?
5. Otherwise, www.site.com continues reaching the old service provider successfully
6. Consider doing pre-validation on the hostname (e.g. https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) before DNS changes.
7. Change the www. CNAME to cname.zone.com, and with no downtime, www.site.com will point to our zone.
Is there any alternative workflows anyone's using? DCV seems invasive but the automatic renew makes it a great option. Curious to see in practice how many times the old/current service provider can prevent it from working (outside of CAA differences)
Thanks!4 Replies
Why don’t you just issue a wildcard cert for site.com,*.site.com
Then you only need one _acme-challenge
Also, why are you manually doing this? ACME clients should have support for Cloudflare
And finally, if you’re using Cloudflare, why are you doing this at all? Cloudflare handles the edge certificate for you.
Hi merp! Thanks for the response. This is re: Cloudflare for SaaS' Delegated DCV (https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/delegated-dcv/#setup). For customers to want to point their domain/subdomain (which might be on Cloudflare but most likely is not) to our platform, which lives in Cloudflare Workers/Pages
Setup docs mention for each hostname, but then mention Cloudflare will issue a TXT for wildcard. However, in our tests (where the 'customer' domain was a Cloudflare zone), we ended up needing both
_acme-challenge and _acme-challenge.www for it to work (or that was our perception, not sure how faithful is to delete everything and re-try given certs etc might have been issue and re-used; we also mis-used the Refresh button thinking it meant check-again rather than re-issue)
This is a good read for the question in step 4 https://vercel.com/guides/change-caa-records-with-vercel-cname. If currently www.site.com CNAMEs to old.platform.com, and old platform issues incompatible CAAs:
Option 1: Move with downtime (you'd change the CNAME and take the site temporarily down while Cloudflare issues certificates)
Option 2: Make sure you have the correct CAAs for both old/new (or none). Replace CNAME old.platform with an A record. Remove the CNAME once propagated. Add the Delegated DCV CNAMEs. Then Cloudflare can issue the certs and you can wait for it to be active before replacing the A record with the CF for SaaS CNAME
I've asked support this question, although I've done a new test with a brand new subdomain and until actually creating the specific CNAME _acme-challenge.subdomain, the Certificate was failing (either something was wrong on my test, or you do need one specific record for each specific subdomain you'll use)
I was also able to prevalidate the hostname which means the change can take place with no service disruption 👏 . Docs are a bit confusing but the product is fantasticSolved:
I managed to fix it by setting the worker route to "*/*" instead of "*.example.com/*".
Original for future reference:
Hey @juanferreras, I think I have a similar issue and the docs are very confusing. How did you setup everything?
I have a multi-tenancy app where the custom domain of the customer should point to the correct subdomain of my app like:
test.custom.com -> tenant1.example.com
I have setup the DNS records on example.com like this:
A
proxy-fallback
192.0.2.1
CNAME
*
proxy-fallback.example.com
I also enabled "custom hostnames", set the fallback origin and added the custom hostname of the customer:
Fallback Origin:
proxy-fallback.example.com
Custom hostname:
test.custom.com
The two TXT + CNAME are also added in the DNS of custom.com:
TXT
_acme-challenge.test
<token>
TXT
_cf-custom-hostname.test
<token>
CNAME
test
tenant1.example.com
Everything is green and with status "active" but it still doesn't work when I open "test.custom.com". It loads forever and then shows a Cloudflare 522 error.
When I open "tenant1.example.com", it shows the site though.
Any idea what could be the issue here? Maybe I'm missing a setting somewhere?
For the site, I'm using a CF Worker which just shows a "Hello World" HTML text. The wildcard domain "*.example.com/*" is mapped to the worker via "Workers Routes".
The original domains are of course not "custom.com" or "example.com", but a .co and .com domain. Both registered with Cloudflare.
I managed to fix it by setting the worker route to "/" instead of ".example.com/".not the same issue but just wanted to 👍 , if you're using a worker as origin you should make sure every hostname goes through the worker (it's documented here https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin/)