English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Get help with Cloudflare products

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

Troubleshooting SSL errors

  • Updated

Troubleshoot common SSL errors observed when browsing to a domain proxied through Cloudflare.

Overview

Until Cloudflare provides an SSL certificate for your domain, the following errors appear in various browsers for HTTPS traffic:

Firefox

     ssl_error_bad_cert_domain      This connection is untrusted

Chrome

     Your connection is not private

Safari

     Safari can't verify the identity of the website

Edge / Internet Explorer

     There is a problem with this website's security certificate

Even with a Cloudflare SSL certificate provisioned for your domain, older browsers display errors about untrusted SSL certificates because they do not support the Server Name Indication (SNI) protocol used by Cloudflare Universal SSL certificates.  Determine if your browser supports SNI.

It is possible for Cloudflare Support to enable non-SNI support for domains on Pro, Business, or Enterprise plans for Universal, Advanced, Custom, or Custom Hostname certificates.

Otherwise, if SSL errors occur when using a newer browser, review these common SSL error causes:

 

To avoid SSL errors with the Cloudflare dashboard when using Kaspersky Antivirus, allow dash.cloudflare.com in Kaspersky.

Redirect loop errors or HTTP 525 or 526 errors

Symptom

Visitors observe redirect loop errors when browsing to your domain or observe HTTP 525 or 526 errors. These errors occur when the current Cloudflare SSL/TSL encryption mode in the Cloudflare SSL/TLS app is not compatible with your origin web server’s configuration. Resolution

For redirect loops, refer to our guide on troubleshooting redirect loop errors.

To resolve HTTP 525 or 526 errors, follow the guidance in SSL encryption modes.

.

Only some of your subdomains return SSL errors

Symptom Cloudflare Universal SSL and only cover the root-level domain (example.com) and one level of subdomains (*.example.com). If visitors to your domain observe errors accessing a second level of subdomains in their browser (such as dev.www.example.com) but not the first level of subdomains (such as www.example.com), resolve the issue using one of the following methods below.

Resolution

  • Ensure the domain is at least on a Business plan and upload a Custom SSL certificate that covers dev.www.example.com
  • purchase an advanced certificate that covers dev.www.example.com
  • if you have a valid certificate for the second level subdomains at your origin web server, click the orange cloud icon beside the dev.www hostname in the Cloudflare DNS app for example.com.

Your Cloudflare Universal SSL certificate is not active

Symptom

All active Cloudflare domains are provided a Universal SSL certificate. If you observe SSL errors and do not have a certificate of Type Universal within the Edge Certificates tab of the Cloudflare SSL/TLS app for your domain, the Universal SSL certificate has not yet provisioned.

Cloudflare SSL certificates only apply for traffic proxied through Cloudflare. If SSL errors only occur for hostnames not proxied to Cloudflare, proxy those hostnames through Cloudflare:
  • For domains on Full DNS setups, click the grey cloud icon icon beside the DNS hostname in your Cloudflare DNS app until the icon becomes an orange cloud.
  • For domains on CNAME setups, review our guide on adding DNS records to a CNAME setup.

Our SSL vendors verify each SSL certificate request before Cloudflare can issue a certificate for a domain name. This process may take anywhere from 15 minutes to 24 hours. Our SSL certificate vendors sometimes flag a domain name for additional review.

Resolution

If your domain is on a partial setup: Confirm whether you have CAA DNS records enabled at your current hosting provider. If so, ensure you specify the Certificate Authorities that Cloudflare uses to provision certificates for your domain. If Universal SSL is disabled on your domain under the Disable Universal SSL section of the Edge Certificates tab in Cloudflare SSL/TLS app:

If your Cloudflare SSL certificate is not issued within 24 hours of Cloudflare domain activation:

Temporarily pausing Cloudflare will allow the HTTPS traffic to be served properly from your origin web server while the support team investigates the issue.

OCSP response error

Symptom Visitors to your site observe an OCSP response error.

Resolution This error is either caused by the browser version or an issue requiring attention by one of Cloudflare’s SSL vendors. In order to properly diagnose, open a support ticket with the following information provided by the visitor that observes the browser error:

  1. The output from https://aboutmybrowser.com/  
    1. The output of https://example.com/cdn-cgi/trace from the visitor’s browser. Replace example.com  with your website’s domain name.

SSL expired or SSL mismatch errors

Symptom Visitors observe error messages in their browser about SSL expiration or SSL mismatch.

Resolution

For more details, refer to ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

Incorrect HSTS headers

Symptom

The HSTS headers (Strict-Transport-Security and X-Content-Type-Options) in the response do not match the configuration settings defined in SSL/TLS > Edge Certificates.

Resolution

You may have configured HTTP Response Header Modification Rules that are overriding the HSTS header values defined in the SSL/TLS app.

  1. Go to Rules > Transform Rules.
  2. Under HTTP Response Header Modification, check the existing rules for a rule that is setting the value of one of the HSTS headers (Strict-Transport-Security or X-Content-Type-Options).
  3. Delete (or edit) the rule so that the HSTS configuration settings defined in the SSL/TLS app are applied.
  4. Repeat this procedure for the other HSTS header.

Related resources

Not finding what you need?

Submit a request

Related articles

Not finding what you need?

Submit a request