There are a handful of reasons why SSL may not be working for your site on Cloudflare:
cPanel AutoSSL and Cloudflare SSL
We provide an automatic SSL/HTTPS for every domain on our network.
Currently, the AutoSSL needs to resolve the domain name to an IP address associated with the cPanel server for the domain validation process to succeed.
Thus, if that doesn't happen (e.g. the domain name resolves to a CloudFlare IP), then validation will fail.
Additional or necessary steps are required to allow websites that utilize CloudFlare services to use the AutoSSL feature provided by cPanel.
cPanel's AutoSSL functionality does not work for any domains utilizing CloudFlare and/or any CDN/proxy type services.
For SSL Domain Control Validation to succeed, the domain must resolve to an IP address located on your cPanel server.
At this time there is no known workaround, other than disabling CloudFlare.
Here are some reasons why you may be having issues with this.
Your domain/sub-domain is not active on Cloudflare’s network
Cloudflare’s SSL will only be present for visitors to your website after you have validated the SSL certificates to your root or www DNS record by orange clouding (
) these records in your dashboard.
If the DNS record is grey clouded (
) then the Cloudflare-issued SSL certificates will not be present.
Your current Cloudflare SSL setting is set to the wrong option
If you don't understand what all the options do, you may want to first read What do the SSL options mean?. However, in a nutshell:
- if you do not have an SSL certificate on your origin server, or simply can’t use port 443 for web traffic, then you will need to use the Flexible setting in your Cloudflare dashboard. Selecting either the Full or Strict setting without an SSL certificate at your server will result in a 525/526 error
- Selecting Flexible when your origin has a redirect from HTTP to https leads to a redirect loop (see also Fixing redirect loops when using Flexible SSL).
- In this case, assuming there is an SSL certificate at the origin, you should use Full or Full(strict).
- If you know you have an SSL certificate on your server (even self-signed), then you can use a Full setting.
- If you have a valid certificate issued by a trusted certificate authority, using strict mode provides additional defense against Man in the middle attacks and more trust between your web server and our edge.
You're accessing a subdomain not covered by the Cloudflare-issued SSL certificate
Cloudflare-issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com). If you're attempting to access the second level of subdomains (eg- *.*.example.com) through Cloudflare using the Cloudflare-issued certificate, an HTTP 403 error will be seen in the browser as these hostnames are not present on the certificate.
If you need to have SSL working for these type of hostnames you would either need to purchase a Dedicated Certificate with Custom Hostnames through Cloudflare, purchase your own SSL cert and upload it to us as a Custom SSL Certificate or grey-cloud this DNS record so the traffic goes directly to your origin server.
The Cloudflare-issued SSL certificate is not yet active for your domain
When you first sign up your domain with Cloudflare, The Cloudflare-issued SSL certificates may have not yet been issued.
Please allow 15 minutes (on paid plans) or 24 hours (on our Free plan) for this process to complete.
You will know if your SSL certificates are active through your CloudFlare dashboard under the Crypto tab.
SSL on a CNAME-Setup
If you are on the Business or Enterprise level of service with a CNAME setup, you will need to add three CNAME records at your authoritative DNS provider to authenticate the SSL certificates for your domain.
You can retrieve these CNAME records by contacting Cloudflare Support or you can use the Cloudflare API to query for them: https://api.cloudflare.com/#ssl-verification-ssl-verification-details.
Your domain triggered a brand-check
If your website name has a brand or country name in it (ex. eBay, Georgia, Iran, etc.) then the Cloudflare Certificate Partner will require additional information about your business to verify that there is no misappropriate usage of a brand/country name. You will need to contact Cloudflare Support about resolving this issue.
Universal SSL is disabled on the domain
If you've disabled Universal SSL on your domain under the Crypto section and aren't using a Dedicated SSL or have uploaded a Custom SSL to Cloudflare you'll see SSL errors for your domain when using Cloudflare.
Simply re-enabled Universal SSL if you don't want to upgrade or purchase a Dedicated SSL certificate for the domain.
