Can't use Proxy or Strict SSL all of a sudden

Hello there,

May I suggest you to check out these #tutorial for setting up the SSL?


Thank you for the response – but all that is in place correctly. What is happening is errant IPs are showing on that are NOT on the DNS record on Cloudflare.

The site has had the same – unchanged – settings on Cloudflare for years. Then, out of the clear this weekend, these unrelated IPS seem to be in the mix somehow.

No one can tell me why or how this is happening – with the correct settings on Cloudflare. Because of this, the site goes offline when I turn on proxy and Full (Strict) SSL.

Are you using any kind of third part integration like ezoic? Would you share the domain here?

Is that behavior only on Full Strict? Have you installed origin certificate?

Thank you for the response! I didn’t get a notice of your reply… Nothing has changed on the site for a very long time – this just appeared this weekend on 10/3.

No third-party integration nor an origin certificate.

The site is

Proxy has to be OFF and SSL to Flexible for the site to not display a security screen. This is across all browsers and my iPhone too.

Appreciate your patience with me!

You can change that too at the notification bar.

Here’s the overview:
At the moment, your site is running on https.
Your site has an SSL & you’ve turned off the proxy.

The issue: You’ve a missing CAA records in your DNS.

The screenshot you’ve attached is when proxied?

It isn’t. You need to check the records again.

In order to use Full Strict, you need to have a certificate on the origin server.

How are you determining that the IPs are “errant”? Whose IPs are they?

Thanks again…

I did activate alerts – and nothing. So, there is a certificate on the origin server. The host determined that the Universal SSL on Cloudflare just expired – it didn’t renew as it has for years. They have gone above and beyond in helping me determine why out of the clear blue sky this happened.

I found another thread about this here.

The thing is, we tried that process, and it won’t renew. And, since it is a free account, I cannot contact CF to ask why it didn’t renew. Hence, I am back here just trying to get the site to work as it always has with CF.

Thank you again!

No idea whose IPs they are…

The host provided screenshots from when CF Proxy was engaged and SSL Strict – that shouldn’t be there when the site was offline.

Now that proxy is off and flexible SSL is in place – the site is live. Turn them back on – no go. Turns out the free Universal SSL just expired and didn’t renew as it has for years.

Not sure what I can do now…

Thank you for your interest! :wink:



Thanks for the update. This is mostly due to deprecation of Digicert certificate. You can read related thread here & the expert view:

Additionally, check this out:


That’s why I included a link to an online whois lookup, to make it easier to determine whose IPs they are. We can always revisit the “errant IPs” later if they appear to be relevant.

Those are mutually exclusive conditions. You have to have the proxy enabled for Flexible SSL to mean anything. Flexible redirects HTTPS requests received by the proxy to HTTP requests at the origin.

Based on the other details that you have shared, I endorse @neiljay’s diagnosis. You may be able to remedy this on your own using the Cloudflare API.

The example in the following post with lets_encrypt for digicert should get you going.

2 Likes @neiljay

Thanks, guys, for sticking with me on this – it’s above my paygrade. I’ve emailed [email protected] since they seem to be aware of this cert migration issue (Digicert to Let’s Encrypt) and hope they can help to resolve it.

My host, WPMU, also went above and beyond to help determine what was at play too. This is what I love about the online community – those willing to spend time to help! :wink:

Much appreciated!



I’m tagging you here on this thread has the same issue as the thread you helped with here, but it was closed 2 days ago, so I couldn’t contact you there.

I did email [email protected] as you instructed there but got the autoresponders – immediately noting my case was “resolved,” which it isn’t.

I know I’m on a free account, but this is on your side to resolve (according to the referenced thread) due to migrating from Digicert to Let’s Encrypt on the backend. What can I do about that? Can you help? TYVM!

I already shared this topic in a related escalation thread.

If the autoresponder that closed your support request generated a ticket number, would you share it here?

1 Like

Hello @judi

Had you attempted the api call as mentioned by @domjh on the referenced thread you found now closed - Universal SSL on Free Account expired - #23 by ccahoon

  • which in turn the api call was referenced from another thread CA certificates - #3 by user4918 (Note: On the example call you would change the CA provider from Digicert to Let’s Encrypt


*curl -X PATCH “[zone_id]/ssl/universal/settings” *
*-H “X-Auth-Email: [email]” *
*-H “X-Auth-Key: Global API Key” *
*-H “Content-Type: application/json” *
–data ‘{“certificate_authority”:“lets_encrypt”}’


After the above call, you may need to then toggle off the Universal SSL switch & re-enable for the CA switch to take effect.

If still no success, please provide the ticket ref you received the auto response & closure on.

1 Like


Thank you so much for the reply! I have no idea what to do with the API info you provided. Everything after “i.e.” is Greek to me – and I’m Greek!

I am a simple user who has had this site on Cloudflare for years without issue. Then apparently, your side made a change and took my site offline without notice, and I had to disable proxy to get it to display.

That thread also mentioned that there should be some sort of notice to those that this would impact. I never received anything about this. Is there a simple step-by-step that a novice can use to do this?

Here is the ticket: [Cloudflare Support] 2583130.

I know other folks just like me who have sites on Cloudflare – are they going to run into the same thing?

Thanks for any help you can offer on your side.

1 Like

Hi Judi

Thanks for the ticket ref.

New CA has been applied & further instructions are in your ticket.


Just saw that – THANK YOU! :wink:

1 Like

Update: If users come across this thread with the same issue - Our Engineers have just released the bug fix for this scenario overnight & therefore it should no longer be an issue.

ref: CUSTESC-22473


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.