Full (Strict) Breaks things... but... why?
I'm troubleshooting why Cloudflare "Full (Strict)" SSL mode fails for one domain (domainA.com) but works for another (domainB.com).
Both are:
-Using wildcard certs from the same public CA (e.g., Starfield)
-Served via the same HAProxy host with identical config
-Using the same certificate chain (intermediate + root) in the .pem
-Valid per openssl s_client -connect ... -servername ... -showcerts — chain is complete and verification succeeds
The only difference is the cert/key pair, as expected. I’ve also tested .pem files with and without PKCS#12 bag attributes — behavior is unchanged. From the TLS handshake perspective, both sites look identical and valid.
Any ideas why Strict SSL would accept one but reject the other?
Both are:
-Using wildcard certs from the same public CA (e.g., Starfield)
-Served via the same HAProxy host with identical config
-Using the same certificate chain (intermediate + root) in the .pem
-Valid per openssl s_client -connect ... -servername ... -showcerts — chain is complete and verification succeeds
The only difference is the cert/key pair, as expected. I’ve also tested .pem files with and without PKCS#12 bag attributes — behavior is unchanged. From the TLS handshake perspective, both sites look identical and valid.
Any ideas why Strict SSL would accept one but reject the other?
