Join
3
3 Comments

Need help with CNAME setup using Letsencrypt and Cloudflare

by xh3b4sd

Hey there, I got a new problem I am not sure how to solve right now. Hope somebody would be up for checking this out with me together.

I have app.aws.example.com running just fine. That DNS record is setup via cert-manager which uses Letsencrypt. All good in the hood with this one. Now DNS for example.com is managed in Cloudflare and I thought I can just create a CNAME for fancy.example.com pointing to app.aws.example.com. And actually, I can. Though the connection does not work because of some SSL magic I don't understand right now. Anybody curious can reach out to me on Twitter. Maybe we can hang a bit and figure this out together. I would buy you an apple juice for sure! Below one example error ala SSL Handshake Failed.

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to fancy.example.com:443
Avatar for user @xh3b4sd xh3b4sd
posted to Icon for group Developers
Developers
 on January 4, 2021
Say something nice to xh3b4sd…
Post Comment
  1. 2

    tl;dr you need a cert issued specifically for fancy.example.com

    The problem you're running into is how SSL/TLS actually work. Creating a CNAME simply tells whatever is making the request where to find the server that will respond to the request - in this case, fancy.example.com will resolve to the same host/IP as app.aws.example.com, but whatever is terminating SSL on app.aws.example.com is going to see the host header set to fancy.example.com and match it with a corresponding certificate (if it has one).

    Cloundflare can make this a little funky depending on if you have their caching/proxy turned on for that DNS record. If you do, then it should work I think since Cloudflare will handle SSL termination for fancy.example.com and then make a proxied request to app.aws.example.com

    User Avatar seanmcgary
    ·
    5 years ago
    ·
    Reply
    1. 2

      Hey Sean, great you reach out. I got a couple of nudges in this direction and have to try something out. I think you are right. The server terminating SSL is not aware of the host header entry and thus disallows access. I got cert-manager under the hood and just have to reorganize my funny setup a bit. I will let you know how it goes. <3

      Avatar for user @xh3b4sd xh3b4sd
      ·
      5 years ago
      ·
      Reply
    2. 1

      I finally got to work on this a bit more. In the end I did what you suggested. Just took me a bit to figure out how to put the pieces together. I solved the problem by issuing a dedicated certificate for fancy.example.com and wired that up in the ingress gateways so that traffic is routed to the virtual service's backends. Thanks a lot for your help!

      Avatar for user @xh3b4sd xh3b4sd
      ·
      5 years ago
      ·
      Reply
Trending on Indie Hackers
Do you actually own what you build? User Avatar 66 comments Code is Cheap, but Scaling AI MVPs is Hard. Let’s Fix Yours. User Avatar 34 comments I Think MCP Will Punish Thin API Wrappers User Avatar 27 comments Built a tool that finds which Reddit/HN threads are making ChatGPT recommend your competitors User Avatar 18 comments Cloud vs Cybersecurity Certifications | 2026 Path Makes More Sense User Avatar 18 comments I wasted 6 months building a failed startup. Built TrendyRevenue to validate ideas in 10 seconds. User Avatar 17 comments