cloudflare · deadlypants1973 · Jan 27, 2025 · Jan 24, 2025 · Jan 27, 2025
@@ -26,6 +26,8 @@ Follow these steps to connect an application through your tunnel. If you are loo
 
 <Render file="tunnel/add-public-hostname" product="cloudflare-one" />
 
+If you add a multi-level subdomain (more than one level of subdomain), you must [order a Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection).
+
 The application is now publicly available on the Internet. To allow or block specific users, [create an Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
 
 ## 2b. Connect a network
@@ -43,4 +45,3 @@ To configure Zero Trust policies and connect as a user, refer to [Connect privat
 After saving the tunnel, you will be redirected to the **Tunnels** page. Look for your new tunnel to be listed along with its active connector.
 
 ![Tunnel appearing in the Tunnels table](~/assets/images/cloudflare-one/connections/connect-apps/tunnel-table.png)
-
@@ -180,3 +180,9 @@ If you need to unblock port `25`, contact your account team.
 This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as [Microsoft Internet Information Services (IIS)](https://learn.microsoft.com/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported) do not support authentication over HTTP/2. When errors occur, the website may send back a `RST_STREAM` frame with the error code `HTTP_1_1_REQUIRED`, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream `RST_STREAM` frames to a pseudo socket close, so this appears as a `502 Bad Gateway` exception page. The browser will not indicate why it failed.
 
 Gateway does not support this downgrade mechanism. When receiving the `HTTP_1_1_REQUIRED` error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin.
+
+## I see `This site can't provide a secure connection.`
+
+If you see an error with the title `This site can't provide a secure connection` and a subtitle of `<hostname> uses an unsupported protocol`, you must [order an Advanced Certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate).
+
+If you added a [multi-level subdomain](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) (more than one level of subdomain), you must order an [Advanced Certificate for the hostname](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) as Cloudflare's Universal certificate will not cover the public hostname by default.
@@ -3,10 +3,12 @@
 
 ---
 
-1. In the **Public Hostnames** tab, choose a **Domain** and specify any subdomain or path information.
+1. In the **Public Hostnames** tab, select **+ Add a public hostname**.
 
-2. Specify a service, for example `https://localhost:8000`.
+2. Enter a subdomain and select a _Domain_ from the dropdown menu. Specify any subdomain or path information.
 
-3. Under **Additional application settings**, specify any [parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/) you would like to add to your tunnel configuration.
+3. Specify a service, for example `https://localhost:8000`.
 
-4. Select **Save tunnel**.
+4. Under **Additional application settings**, specify any [parameters](/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/) you would like to add to your tunnel configuration.
+
+5. Select **Save hostname**.