If you use the Full (Strict) mode, you may run into Invalid SSL certificate 526 on www or other subdomains. Even though their official documentation claims that adding a A record with * should work, it didn’t for me.

The solution is to add Redirect Rules for them.

If you go to this part of the configuration:

You’ll see that there are a few pretty useful templates. Simply create rules accordingly for the first two and you should be all set:

Even after this, you may still run into DNS cache on only some of your devices and be tearing your hair out about it. Remember to clear the cache for these devices. For example, on iPhone, you should be able to clear DNS cache by turning it off and on again. For mac you can do:

sudo killall -HUP mDNSResponder

There. No more hair loss.