[Bug] SSL handshake failure on strata.eu.klavis.ai -- wildcard cert does not cover *.eu.klavis.ai

[bernard777]

Description

The EU Strata MCP endpoint strata.eu.klavis.ai is unreachable due to a TLS handshake failure. The Cloudflare certificate only covers *.klavis.ai, which does not match 2nd-level subdomains like strata.eu.klavis.ai.

Evidence

Certificate on Cloudflare edge:

• Subject: CN = klavis.ai
• SAN: DNS:klavis.ai, DNS:*.klavis.ai

Working endpoint (non-EU):

$ curl -s https://strata.klavis.ai/mcp/
{"error": "Unauthorized. Please provide your Klavis API key or Authorization header"}
-> HTTP 401 (alive, TLS OK)

Broken endpoint (EU):

$ curl -v https://strata.eu.klavis.ai/mcp/
* TLSv1.3 (IN), TLS alert, handshake failure (552)
* OpenSSL: error:0A000410:SSL routines::sslv3 alert handshake failure

Both resolve to the same Cloudflare IPs (104.21.26.53, 172.67.135.104), confirming the issue is certificate coverage, not routing.

Tested from

• Windows (France) -- Python 3.13 OpenSSL 3.0.16, curl/schannel
• Linux VPS (Germany) -- curl + OpenSSL 3.0.13

Both fail identically.

Expected behavior

strata.eu.klavis.ai should have a valid TLS certificate -- either:

• A separate cert covering *.eu.klavis.ai, or
• Adding *.eu.klavis.ai as a SAN to the existing Cloudflare cert

Impact

Any application using the EU Strata endpoint via the API (POST api.eu.klavis.ai/mcp-server/strata/create) receives a strataServerUrl pointing to strata.eu.klavis.ai, which is then unreachable. This affects all EU-region Strata users.

Dashboard reference

The Klavis dashboard at eu.klavis.ai/home/... correctly displays https://strata.eu.klavis.ai/mcp/ as the endpoint URL, but the endpoint itself cannot complete a TLS handshake.

Environment

• Klavis EU region (api.eu.klavis.ai -- works fine, hosted on Google Cloud)
• Strata EU (strata.eu.klavis.ai -- broken, hosted on Cloudflare)