https://discord.cloudflare.com logo
Join Discord
Powered by
# workers-discussions
  • w
    being in ct logs isn't really a big deal, a bot would probably find the domain anyway pretty quick. You can't really do anything on a domain without it being known
  • u
    Yeah easier... and what if a user has a cert they made for other services which then gets tied to it and they dont know and delete the cert... boom broken worker. Creating it specifically for the worker means its obvious what its for.
  • w
    yeah there's a lot of issues if we tried to use an existing cert haha
  • n
    Walshy yes I know about CT logs not being such a big deal and that's its mostly of a security by obscurity reasoning
  • n
    It's just that I am an Ent customer and I want to avoid publishing all my endpoints names in CT logs because I have people a bit too much interested in what we do and I get a lot of beg bounties just because of this
  • n
    Less in CT logs = less headaches for me
  • n
    But thanks for letting me know about the behaviour I will handle it another way then, cheers
  • w
    yeah i'd recommend just using routes then
  • c
    You can delete them without any issues. It'll show the cert as Inactive in the custom domains tab, but it should continue working with no issue. The docs recommend you delete the original cert if you want to replace it/use a different one
  • c
    If you delete the cert fast enough, you can usually snipe it before it issues. Custom Domains are still easier to use then routes, so I just do that. Not something to rely on of course if you absolutely need one not to be issued.
  • n
    Thanks Chaika, I deleted the extra cert in ACM but the custom domain disappeared in the Worker, or maybe it was just a UI fluke on my side. Anyways I think i will stay on routes as Walshy suggested, needs a bit more work but at least doesn't publish certs
  • n
    I just assumed that it worked like custom domains of Cloudflare Pages (that doesn't do this) but at least now i know :)
  • c
    That's strange, in the docs of Custom Domains they tell you to delete the cert if you want to replace it, so it should be 100% supported and I haven't had any issues with it.
  • c
    Pages should always issue a cert as well, and you can't delete that one, unless there's some way I don't know of to create a pages custom domain without one (It's not visible in your edge certs either, but it's visible in CT logs of course)
  • d
    you can just listen on a wildcard for the worker
  • d
    @Erisa | Support Engineer see ^
  • d
    I take no blame ;P
  • e
    (I replied in the thread as well)
  • e
    I'm just curious whether you're actually seeing this, or what led you to believe it worked the way you described rather than what the docs say 🤔
  • d
    probably 18 hours of working yesterday and being a bit confused.
  • e
    Oh
  • d
    hang on
  • d
    How do I actually verify that 
    CF-Worker
    is not being added by a CF Warp customer?
  • d
    since they use the same IP ranges
  • e
    cf- headers cant be spoofed
  • d
    but this would be through SSL
  • e
    Oh wait
  • e
    Was thinking of ingress, not egress
  • e
    in this case,
  • e
    WARP does not use any of the IPs listed at
1...244024412442...2509Latest