Introduction

When using a CDN like Cloudflare, CloudFront, or Fastly with a custom domain, the CDN must present an SSL certificate that includes the custom domain in its Subject Alternative Name (SAN) field. If the CDN's shared certificate does not cover your custom domain, visitors see a browser SSL warning (NET::ERR_CERT_COMMON_NAME_INVALID) and cannot access your site. This commonly happens after adding a new custom domain to an existing CDN distribution or when the CDN's shared certificate rotates.

Symptoms

  • Browser shows SSL warning:
  • `
  • NET::ERR_CERT_COMMON_NAME_INVALID
  • Subject: *.cloudfront.net
  • This server could not prove that it is your-custom-domain.com
  • `
  • curl shows certificate mismatch:
  • ```bash
  • curl -vI https://your-custom-domain.com
  • # Shows certificate for: *.cloudfront.net (not your domain)
  • `
  • SSL checker confirms:
  • `
  • Subject Alternative Names: *.cloudfront.net, cloudfront.net
  • Missing: your-custom-domain.com
  • `
  • Site accessible via HTTP but not HTTPS

Common Causes

  • Custom domain added to CDN but SSL certificate not yet provisioned
  • CDN shared certificate does not include the custom domain
  • Custom SSL certificate uploaded to CDN has expired or is missing the domain
  • DNS points to CDN edge but CDN has not been configured for SSL on that domain
  • Certificate SAN field was not updated when adding additional custom domains

Step-by-Step Fix

  1. 1.Add DNS validation records:
  2. 2.```bash
  3. 3.# For Route 53
  4. 4.aws route53 change-resource-record-sets \
  5. 5.--hosted-zone-id Z1234567890 \
  6. 6.--change-batch '{
  7. 7."Changes": [{
  8. 8."Action": "CREATE",
  9. 9."ResourceRecordSet": {
  10. 10."Name": "_abc123.your-custom-domain.com.",
  11. 11."Type": "CNAME",
  12. 12."TTL": 60,
  13. 13."ResourceRecords": [{"Value": "_def456.acm-validations.aws."}]
  14. 14.}
  15. 15.}]
  16. 16.}'
  17. 17.`
  18. 18.Update CloudFront distribution with the new certificate:
  19. 19.```bash
  20. 20.# Get current ETag
  21. 21.ETAG=$(aws cloudfront get-distribution --id E1234567890 \
  22. 22.--query 'ETag' --output text)

# Update distribution aws cloudfront update-distribution \ --id E1234567890 \ --if-match $ETAG \ --distribution-config file://distribution-config.json

# distribution-config.json includes: # "ViewerCertificate": { # "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789:certificate/abc-123", # "SSLSupportMethod": "sni-only", # "MinimumProtocolVersion": "TLSv1.2_2021" # } ```

  1. 1.For Cloudflare, verify SSL/TLS mode:
  2. 2.- Go to Cloudflare Dashboard > SSL/TLS > Overview
  3. 3.- Ensure mode is set to "Full" or "Full (strict)"
  4. 4.- Go to SSL/TLS > Edge Certificates
  5. 5.- Verify your custom domain appears in the certificate list
  6. 6.- If missing, add it under "Custom Hostnames" and wait for validation
  7. 7.Verify the fix:
  8. 8.```bash
  9. 9.# Wait for propagation (CloudFront: ~15 minutes)
  10. 10.watch -n 10 "openssl s_client -connect your-custom-domain.com:443 -servername your-custom-domain.com 2>/dev/null | openssl x509 -noout -subject -dates"

# Should show: # subject=CN = your-custom-domain.com # notBefore=... # notAfter=... ```

Prevention

  • Monitor certificate expiration dates for all custom domains
  • Use ACM or Let's Encrypt for automatic certificate renewal
  • Test new custom domains with openssl s_client before DNS switchover
  • Set up SSL certificate expiry alerts (30, 14, 7 days before)
  • Use Infrastructure as Code (Terraform) to manage CDN SSL configuration
  • Document the full SSL provisioning workflow for each new domain