Multi-Level Subdomains

In many cases, you want to run Tunnel to expose a multi-level subdomain, such as foo.bar.example.com. Because the certificate Tunnel generates will cover the first tier of subdomains and the apex (i.e. *.example.com and example.com), you need to make a small modification to how you run Tunnel to get it to work. Tunnel offers two ways to accomplish this:

Option One: DNS Solution

The first option is for you to run Tunnel on a separate domain, and then CNAME the domain you wish to expose to that original Warped domain. How this works:

  1. Run Tunnel on your origin server and expose your service on a single-level subdomain such as warp.example.com.
  2. Open up the Cloudflare DNS panel and create a CNAME record for the multi-level domain to the domain where Tunnel is running: CNAME foo.bar.example.com ==> warp.example.com.

Option Two: Bring Your Own TLS Certificate

The reason why you need a custom solution to run Tunnel on a multi-level domain is because the certificate Tunnel generates for your origin server is not valid beyond one subdomain level.

In order to include more hostnames, you can bring your own TLS certificate. Below are instructions for how to use Tunnel with a custom certificate.

  1. Install Tunnel on your machine
  2. Run the command $ cloudflared tunnel login and when the browser window opens, select the domain you are wishing to use. This will download a certificate to your origin server.
  3. The downloaded certificate will automatically be placed in ~/.cloudflared/cert.pem.
  4. If you open the certificate file, you will see it has three sections: private key, certificate and Tunnel token. Later on you will replace the private key and certificate sections.

    —–BEGIN PRIVATE KEY—– MIGHAgEAMBMwd51w/9Ne9nmMolCD0Z8s6AMBMwd51w/9Ne9nmMolCD0Z8s6 —–END PRIVATE KEY—– —–BEGIN CERTIFICATE—– MIIDKzCCAtCgAwIBAgIUfk7smiHna9wiBasCpbVyeg6vBRAwCgYIKoZIzj0EAwIw gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvvdWRmbGFyZS5jb20vb3JpZ2luX2Vj Y19jYS5jcmwwCgYIKoZIzj0EAwIDSQAwRgIhANZOIFV/kWzbHVbpmTYewL6hPEdC YgtWeoaU3x5WsnFQAiEAjYSW1LE1A0HjCzU0ZpEzElzo0YbVPbj57eaUV7gk+Tg= —–END CERTIFICATE—– —–BEGIN Tunnel TOKEN—– OWJkMDQ1ZTcxMDQ1ZWI2NTZhZmEwYzRiYTRkMjRhZjQKdjEuMC1kOWMyNTY4MmQ4 NTBkYzdjYTc1YzQ0ZlYjI5ZjIxNTU5NjhjOTE0MzY4YTkyYmUwODdhNzRj ZmEyMTU3Y2I5ZjU0MDMwMTczY2Q5MmQ3OTE0MWZkNWVmMTA5MGIxLTIxNjAxZjUz OWQwZjRlMjU3MDRjNmRhNzVjYTZjOTE3NmMwMDRhZGU4OTQ3NDIwOTE4Y2QyZGU2 N2ExMWNhNDE= —–END Tunnel TOKEN—–

  5. Next you need to generate a certificate for your origin server. Cloudflare offers a free Certificate Authority for generating origin certificates that are only trusted by Cloudflare.

  6. Login to the Cloudflare dashboard and visit the Crypto tab.

  7. Scroll down to the section called Origin Certificates. In that table you will see certificates Tunnel generated for your server.

  8. Click the button labeled ‘Create Certificate’.

  9. When the modal opens, select the checkbox for “Let Cloudflare generate a private key and a CSR”. You may keep RSA selected as the key type. Then list the hostname you need to Warp, such as foo.bar.example.com.

  10. Cloudflare will then present you a certificate to use for your origin.

  11. Open up the file at ~/.cloudflared/cert.pem and replace the private key and certificate sections with the values Cloudflare shows in the dashboard.

  12. Once you are finished, you can exit the modal in the dashboard by clicking ‘Ok’.

Note: If you use an encrypted certificate file, the Tunnel client won’t prompt for the passphrase and the certificate will not work.

You can now start Tunnel on a multi-level subdomain.

Note: you will also need a certificate for the connection from the client to Cloudflare’s edge. You manage this in the Edge Certificates section of the Crypto tab in the Cloudflare dashboard. By default, Cloudflare issues certificates for *.your-domain. If you need a certificate for a multi-level hostname, you can buy a dedicated certificate in the Cloudflare dashboard.