docs: Document www subdomain SSL fix (Cloudflare Origin Certificate)

Fixed SSL error 526 on www.firefrostgaming.com while maintaining Full
(strict) mode.

Solution: Cloudflare Origin Certificate
- 15-year validity
- Covers firefrostgaming.com, www.firefrostgaming.com, *.firefrostgaming.com
- Maintains Full (strict) encryption mode
- No Let's Encrypt renewals needed

Changed:
- Nginx server_name: added www.firefrostgaming.com
- SSL certificate: /etc/ssl/certs/cloudflare-firefrostgaming.pem
- SSL key: /etc/ssl/private/cloudflare-firefrostgaming.key

Verified: Both firefrostgaming.com and www.firefrostgaming.com working ✅

Completed: March 26, 2026, 8:15 PM CST
By: The Verifier (Chronicler #42) + Michael

docs/troubleshooting/www-subdomain-ssl-fix.md

@@ -0,0 +1,172 @@
+# WWW Subdomain SSL Fix — Cloudflare Origin Certificate
+
+**Date:** March 26, 2026  
+**Issue:** www.firefrostgaming.com returned SSL error 526 (invalid certificate)  
+**Resolution:** Installed Cloudflare Origin Certificate for both domains  
+**Completed By:** The Verifier (Chronicler #42) + Michael
+
+---
+
+## Problem
+
+- `firefrostgaming.com` worked ✅
+- `www.firefrostgaming.com` failed with SSL error 526 ❌
+
+**Root cause:**
+- Cloudflare DNS had CNAME: `www.firefrostgaming.com` → `firefrostgaming.com` (proxied)
+- Cloudflare SSL/TLS mode: Full (strict)
+- Origin server (Ghost VPS) had no certificate for `www.firefrostgaming.com`
+- Error 526: "Cloudflare can't validate SSL certificate on origin server"
+
+---
+
+## Why Full (Strict) Mode?
+
+**Full (strict) mode requirements:**
+- Cloudflare validates origin server's SSL certificate
+- More secure than Flexible mode (Cloudflare only)
+- Required for end-to-end encryption
+
+**We maintained Full (strict) mode** rather than downgrading to Flexible.
+
+---
+
+## Solution: Cloudflare Origin Certificate
+
+### Step 1: Generate Certificate in Cloudflare
+
+**In Cloudflare Dashboard:**
+1. Go to SSL/TLS → Origin Server
+2. Click "Create Certificate"
+3. Configure:
+   - Private key type: RSA (2048)
+   - Hostnames: `firefrostgaming.com`, `www.firefrostgaming.com`, `*.firefrostgaming.com`
+   - Validity: 15 years
+4. Click "Create"
+5. Copy both certificate and private key
+
+### Step 2: Install on Ghost VPS
+
+**Create certificate file:**
+```bash
+sudo nano /etc/ssl/certs/cloudflare-firefrostgaming.pem
+```
+Paste the Origin Certificate (begins with `-----BEGIN CERTIFICATE-----`)
+
+**Create private key file:**
+```bash
+sudo nano /etc/ssl/private/cloudflare-firefrostgaming.key
+```
+Paste the Private Key (begins with `-----BEGIN PRIVATE KEY-----`)
+
+**Set permissions:**
+```bash
+sudo chmod 600 /etc/ssl/private/cloudflare-firefrostgaming.key
+```
+
+### Step 3: Update Nginx Configuration
+
+**File:** `/etc/nginx/sites-available/firefrostgaming.com-ssl.conf`
+
+**Changed:**
+```nginx
+server_name firefrostgaming.com;  # OLD
+server_name firefrostgaming.com www.firefrostgaming.com;  # NEW
+
+ssl_certificate /etc/letsencrypt/firefrostgaming.com/fullchain.cer;  # OLD
+ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem;  # NEW
+
+ssl_certificate_key /etc/letsencrypt/firefrostgaming.com/firefrostgaming.com.key;  # OLD
+ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key;  # NEW
+```
+
+**Full updated config:**
+```nginx
+map $status $header_content_type_options {
+    204 "";
+    default "nosniff";
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    
+    # Handle both firefrostgaming.com and www.firefrostgaming.com
+    server_name firefrostgaming.com www.firefrostgaming.com;
+    
+    root /var/www/firefrost/system/nginx-root;
+    
+    # Cloudflare Origin Certificate
+    ssl_certificate /etc/ssl/certs/cloudflare-firefrostgaming.pem;
+    ssl_certificate_key /etc/ssl/private/cloudflare-firefrostgaming.key;
+    
+    include /etc/nginx/snippets/ssl-params.conf;
+
+    location / {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:2368;
+        add_header X-Content-Type-Options $header_content_type_options;
+    }
+    
+    client_max_body_size 1g;
+}
+```
+
+### Step 4: Test and Reload
+
+```bash
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+---
+
+## Verification
+
+**Test both URLs:**
+- https://firefrostgaming.com ✅
+- https://www.firefrostgaming.com ✅
+
+Both should work with no SSL errors.
+
+**Check Cloudflare SSL mode:**
+- Should still be "Full (strict)" ✅
+
+---
+
+## Benefits of This Solution
+
+1. **15-year validity** — No renewal required for 15 years
+2. **Wildcard coverage** — `*.firefrostgaming.com` covered if needed
+3. **Full (strict) maintained** — Security posture unchanged
+4. **Works with Cloudflare proxy** — Designed specifically for Full (strict) mode
+5. **No Let's Encrypt dependency** — Origin certificate is Cloudflare-managed
+
+---
+
+## File Locations
+
+**Certificate files:**
+- Certificate: `/etc/ssl/certs/cloudflare-firefrostgaming.pem`
+- Private key: `/etc/ssl/private/cloudflare-firefrostgaming.key`
+
+**Nginx config:**
+- `/etc/nginx/sites-available/firefrostgaming.com-ssl.conf`
+- Symlinked from: `/etc/nginx/sites-enabled/firefrostgaming.com-ssl.conf`
+
+---
+
+## Related Documentation
+
+- Cloudflare Origin Certificates: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
+- Cloudflare SSL/TLS modes: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
+
+---
+
+**Fire + Frost + Arcane + Verification = Truth** ✅🔥❄️⚡
+
+**Documented By:** The Verifier (Chronicler #42)  
+**Date:** March 26, 2026, 8:15 PM CST