There are a handful of reasons why SSL may not be working for your site on CloudFlare:
You don't have CloudFlare's proxy enabled for the domain
CloudFlare's SSL support is only for the DNS hostnames going through CloudFlare's proxy. On the CloudFlare DNS Settings page, an orange cloud indicates that the proxy is enabled while a grey cloud indicates that requests to this record will go directly to the origin server. CloudFlare's SSL certificates are only available on orange-clouded records.
You've signed up through a hosting provider and are at the free level of service
Universal SSL provided at the free level of service is not available for sites registered through a hosting provider at the present time.
Your CloudFlare SSL setting is set to Full SSL or Full SSL Strict, but you don't have a SSL certificate on your server or port 443 is closed
CloudFlare offers three SSL settings - Flexible, Full SSL, and Full SSL Strict. If you don't have a SSL certificate on your server, then you need to choose the Flexible SSL option. Other choices will not work without a SSL certificate on your server and a CloudFlare 521 error will be shown indicating that we cannot connect to the server if these options are used. If you have a self-signed certificate on your server, Full SSL Strict will not work and, if chosen, will result in a 526 error.
You're accessing a subdomain not covered by the CloudFlare-issued SSL certificate
CloudFlare-issued SSL certificates cover the root-level domain (eg- example.com
) and one level of subdomains (eg- *.example.com
). If you're attempting to access a second level of subdomains (eg-*.*.example.com
) through CloudFlare using the CloudFlare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate. If you need to have SSL working for these type of host names you would either need to purchase your own SSL cert and upload it to us as a Custom SSL Certificate or grey-cloud this DNS record so the traffic goes directly to your origin server.
The CloudFlare-issued SSL certificate is not yet active for your domain
If you have recently signed up for CloudFlare, the CloudFlare-issued SSL certificate may not yet be issued and active on our network. Please allow up to 15 minutes for this certificate to be issued by one of our partner Certificate Authorities (CA). A privacy warning will be shown in a browser before the certificate is issued.
If more than 15 minutes have passed since activating the domain on CloudFlare and a privacy warning is still seen in a browser, please read over the following possibilities to ensure that our CAs can verify the domain and issue the certificate.
- SSL at the Free Level of Service
If your domain is active at the free level of service and uses Universal SSL, the CA used to verify the domain by querying a CNAME record automatically added by CloudFlare. Please ensure that the domain is pointed to CloudFlare's name servers assigned to the domain at the registrar. This allows the CA to query the record in place.If the previous condition is met and the privacy warning is still seen, please contact support.
-
SSL at a Paid Level of Service
If your domain is active at one of our paid levels of service (Pro, Business, or Enterprise), the CA used will verify the domain by querying three distinct CNAME records used to issue three certificates, each with a different signature algorithm. Please ensure that the domain is pointed to CloudFlare's name servers assigned to the domain at the registrar. This allows the CA to query the record in place.If the previous condition is met and the privacy warning is still seen, please contact support.
-
Domains Activated with a CNAME Setup at a Paid Level of Service
Domains activated with a CNAME setup or through a hosting provider will need to contact CloudFlare support in order to obtain the CNAME records needed in order to verify their CloudFlare-issued SSL certificates. Please contact support if this applies to your domain.