Help with Cloudflare for SaaS - customer onboarding flow and SSL issues

Hi Cloudflare Developers, I'm getting started using Cloudflare for SaaS. I want to let customers use their own domains for static sites I'm hosting for them using R2 + Workers. Was looking for some guidance on setting this up, and what the flow will look like for my customers. A brief outline of my use case: - Our product lets users build custom landing pages. - Their pages are exported as HTML + JS and uploaded to R2, prefixed by their user ID. - Each user has an entry in a Workers KV namespace mapping their chosen subdomain to their user ID. - A Workers script checks the Host header of the incoming request and retrieves the user ID from the mapping, then serves content from that prefix in R2. - As for DNS in this setup, there's only a single wildcard CNAME record pointing to the root domain, and the root domain has an A record pointing at CF's test/empty address (192.0.2.0) So now onto CF for SaaS... Here's the flow I'm envisioning: 1. User fills out form with their custom domain 2. Backend makes request with Cloudflare SDK to add a new custom domain 3. Frontend retrieves DNS records and shows user which records they need to add. I was thinking that the user would add two records, a CNAME and an A record: - CNAME record pointing their custom domain to their already-configured subdomain going through the routing logic described above: Example: CNAME www.myvanitydomain.com -> customer1.mysaasapp.com - A record pointing to a simple web server I will spin up redirecting non-www requests to www subdomain. Additionally adding the verification records provided by CF. I tested this flow with one of my domains, and I'm getting this error in Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH. This was after adding Cloudflare's verification TXT records and adding my test domain as a custom domain. Lastly: I want to make this process as simple as possible for my end users. Will they need to add the verification TXT records, or can they only add a CNAME and A record? Thanks!
19 Replies
Chaika
Chaika3mo ago
I tested this flow with one of my domains, and I'm getting this error in Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH. This was after adding Cloudflare's verification TXT records and adding my test domain as a custom domain.
What's the Custom Hostname status?
Will they need to add the verification TXT records, or can they only add a CNAME and A record?
for CF For SaaS, if you pick HTTP Cert validation, all they need is the CNAME.
jatkin
jatkinOP3mo ago
Certificate status and hostname status are both active
Chaika
Chaika3mo ago
you're getting that error with the custom hostname and not the root, I assume?
A record pointing to a simple web server I will spin up redirecting non-www requests to www subdomain.
This idea would fix the limitation with apex proxying but you'd have the issue with not having the right certificates/etc, sort of same as this
jatkin
jatkinOP3mo ago
Yeah, I'm trying to access www.myvanitydomain.com. If I access it with HTTP instead of HTTPS I get a Cloudflare branded error page so I know at least the CNAME is pointing at Cloudflare. The vanity domain's DNS is managed by AWS Route53. And damn I forgot I'll have to deal with SSL for the root domain too... 😭 do you have any suggestions there? If there's a way to handle the redirect within Cloudflare that would be awesome, but from what I can tell I need a static IP for the A record which is tough to get from CF unless I'm on enterprise... Just realized I might have misconfigured it: when I'm adding the custom hostname in the console, should I add the root domain or the domain with the www CNAME? I added it as the root domain which might explain the SSL issue
Chaika
Chaika3mo ago
Just realized I might have misconfigured it: when I'm adding the custom hostname in the console, should I add the root domain or the domain with the www CNAME?
You should add the exact hostname: ex www.myvanitydomain.com You did stumble on the other idea for dealing with root domains though, you can technically use CF For SaaS on root domains as long as the provider supports ALIAS/ANAME/CNAME on root. When I was playing with it a bit ago for root domains specifically you had to add the verification txt first -> wait for verify -> then add, not sure if that changed. If you tried to jump the gun with cname but no txt, CF can't actually see what it's pointed at/it could be pointed at any Cloudflare zone for all it knows since shared IPs, hence why apex proxying is Enterprise and assigns you specific IPs
jatkin
jatkinOP3mo ago
Right, unfortunately I have to assume my users are using registrars that don't support ALIAS records. If I use my own web server to handle the www redirect, and use something like Caddy to generate LetsEncrypt records for the root domains, would that SSL cert handle the redirect without issue? "add the verification txt first -> wait for verify -> then add" What does the second "add" here refer to? In testing it just now I had to first add the hostname pre-validation TXT, then the certificate validation, is this what you're referring to? Also, just tested the flow with www.myvanitydomain.com and now I'm getting a timed out error... 🤔 I'm expecting a Not Found page from R2, same as if I access my routing logic under a subdomain that doesn't have an entry in KV.
Chaika
Chaika3mo ago
If I use my own web server to handle the www redirect, and use something like Caddy to generate LetsEncrypt records for the root domains, would that SSL cert handle the redirect without issue?
As long as Caddy is able to issue those certs (using http validation I assume), that's fine
What does the second "add" here refer to? In testing it just now I had to first add the hostname pre-validation TXT, then the certificate validation, is this what you're referring to?
I was assuming http challenge, so I was saying verification txt -> wait for verify -> then add cname/alias/aname
Also, just tested the flow with www.myvanitydomain.com and now I'm getting a timed out error... 🤔
At least means you're closer. You're using a Worker, right? Do you have a wildcard catch-all route? https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin/ Be careful not to break your existing subdomains/domain with that. I usually recommend people get a separate domain just for customer custom domains to avoid issues with that and the fact that all custom hostnames inherit your zone's configuration (waf rules, config rules, network settings, etc), so better to eliminate the possibility of non-intentionally changing settings for them/more flexibility with your custom domains
jatkin
jatkinOP3mo ago
Found the issue: my Worker Route was set to *.mysaasapp.com/*, I changed it to */* and now getting the Not Found page from R2. Thanks a lot Chaika 😀 I'm not super clear on how HTTP validation works, do you think you could give me a brief overview? Looks like I need to configure my own web server on the origin to respond with the data they provide when I add a custom hostname. How would this work if I don't really have an origin per-se, and the only content served by my zone is from a Worker? Also good idea on using a separate domain for custom domains, I'll likely do that 👍
Chaika
Chaika3mo ago
I'm not super clear on how HTTP validation works, do you think you could give me a brief overview?
The briefest overview would be that for CF For SaaS, it handles it all for you (you just pick the method and it handles serving the token for you/all that stuff). Same for if you use something like Caddy Under the hood it's just serving a string under a specific path, ex: http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> https://letsencrypt.org/docs/challenge-types/#http-01-challenge
jatkin
jatkinOP3mo ago
Awesome. Got the flow working end-to-end on my test domain including the www redirect with Caddy. That was with TXT validation, trying HTTP validation now on another domain. It's looking like Cloudflare still needs me to add a pre-validation TXT record:
No description
jatkin
jatkinOP3mo ago
Just refreshed it and now it shows a different set of information, without me taking any action 🤔
No description
Chaika
Chaika3mo ago
It looks like it but you don't actually need too for unflattened subdomains w/ cname you just need the cname which appears tobe missing
jatkin
jatkinOP3mo ago
Yeah, just added the cname and everything clicked into place Seems to be working now, except it still says Pending Validation (HTTP). Hostname status is Active.
Chaika
Chaika3mo ago
worth noting refresh isn't an innocent "oh refresh data from api" it's restarting cert validation from start
jatkin
jatkinOP3mo ago
😂 That's good to know
Chaika
Chaika3mo ago
looks like it issued now Certs can take a min or two to issue
jatkin
jatkinOP3mo ago
Awesome! Yep everything green now, thanks so much for your help 🙏 Last step is to provide a way for Caddy to check if a domain is valid for on-demand TLS, will probably run the redirect node in the same VPC as my main API and database and expose an endpoint off my main API. @Chaika One more question: I see that the custom hostnames I added have an expiry date of about 3 months. How is renewal handled with custom hostnames? There's also this section lower down, DCV Delegation. What role does that play in renewal?
Chaika
Chaika3mo ago
If you're using HTTP Challenges it'll just renew for you. DCV Delegation is for the TXT option. You'd have to keep updating the TXT records for every renewal/issuance which doesn't realy work. If you wanted to use TXT Validation instead of HTTP Challenges, you could instead have them CNAME _acme-challenge.<hostname> to your DCV Delegation (which is <hostname> + . + dcv hostname, then CF can keep using TXT Validation to renew because they control the _acme-challenge subdomain) https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/delegated-dcv/
jatkin
jatkinOP3mo ago
Awesome
Want results from more Discord servers?
Add your server