Custom hostnames on cloudflare SAAS


We are using Cloudflare’s Custom Hostnames for SAAS feature. This means our clients can point their domains to a CNAME we provide, and Cloudflare manages the certificate, allowing the clients’ domains to use Cloudflare’s proxy (orange cloud) and benefit from all its features.

However, for it to work with our app on, we need to set the SSL mode to Full and disable strict mode because we cannot generate a valid SSL certificate for these clients’ domains on It works like this:

alpn = [“h2”, “http/1.1”]
versions = [“TLSv1.2”, “TLSv1.3”]
default_self_signed = true

So far, so good, but we started experiencing problems a day ago when several of these client domains renewed, causing intermittent 525 SSL handshake errors when reaching our application on

By chance, we deployed the project with default_self_signed set to false in the .toml file and then set it back to true.

This change seems to have created a new certificate, and everything is now working without interruptions.

The question is, is this an issue you can resolve, or is there a way we can force the renewal of this self-signed certificate?

Thank you.


I’m not sure if this will work with the hostname for SAAS feature…

Cloudflare can generate a certifcate so that the communication between your Fly app and Cloudflare will be encrypted with no random 525 errors.

I wrote a little tutorial here:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.