I have a domain, and 3 subdomains under it (besides www). My authoritative name server is Cloudflare. The apex domain and www is proxied from Cloudflare, the other 3 subdomains are served directly by netlify (they are DNS-only records in Cloudflare). This is working fine but I realized there is a problem with the SSL certs of subdomain. I was using Lets Encrypt for them, but for apex/www I was using Cloudflare origin cert (so custom cert). I am not 100% sure, but I think the subdomains were also being served with the Cloudflare cert, because I was getting error on browser (since Cloudflare origin cert is self-signed not tied to a CA). I changed www/apex also to Lets Encrypt, and it seems to be working fine now. Is there such a limitation on netlify ?
Welcome to the community!
The issue has to do with the validation check for the cert. Netlify’s system sends out a request for validation and stops at the first reply that is returned. In your case, the first cert validation being returned was Cloudflare’s origin cert. Those only work at Cloudflare. When Netlify tried to validate one of your subdomains, it checked Cloudflare first, got a response and stopped checking rather than going on to attempt to validate against Let’s Encrypt.
Now that you’ve switched to using an end-to-end Let’s encrypt cert, the validation is succeeding because we are no longer trying to (incorrectly) validate against the Cloudflare origin cert.
Is this a limitation? I guess it depends on your point of view. On the one hand, the way our system works did not serve you well. On the other hand, the way it works does cover the majority of cases and was intended to make configuration a little easier for most folks.
I hope this helps!