Change Universal SSL CA from Let's Encrypt to Google, no more backup certificate?

LucaDuca · November 20, 2023, 11:46am

Hello everybody,
as is known, it is possible to set the CA (Google or Let’s Encrypt) for the Universal SSL service via an API command (see here: I want to use Google Trust's SSL certificate instead of Let's Encrypt)
The procedure works.
However, I found that by setting CA Google the backup certificate is automatically deleted (I assumed it had to be re-issued via CA Let’s Encrypt).
If you then set Let’s Enrypt CA again, the backup certificate will not be reissued via Google CA (so, no more backup certificate are issued).
Some of you have encountered the same situation?

louise2 · November 21, 2023, 12:13pm

Hi @LucaDuca

The backup certificate are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise.

LucaDuca · November 23, 2023, 5:35pm

Thanks for the reply.
Yes, this is clear for me, but the behavior that I observed is:
Initial situation: “main” deployed cert. Issued by Let’s Encrypt, backup cert. Issued (but not deployed) by Google.
In a second time I (via API call) change the CA for Universal SSL from Let’s Encrypt to Google, then, immediately:
Final situation: Google CA cert becomes the “main” deployed, but backup cert. (previously the one issued by Google CA) is now missing (I expected, by logic, to see the previous Let’s Encrypt cert or, anyway, another certificate issued by another CA).

So, in conclusion, beware of changing the CA (for Universal SSL) because you’ll lose the backup cert feature.
Is my statement correct?

sdayman · November 23, 2023, 6:02pm

I can’t say I’ve ever tried switching my Universal SSL CA back and forth between providers.

If you’re back on Let’s Encrypt, and there’s still no backup cert, open a ticket if you’re on a paid plan, and post the Ticket # here so we can escalate. If not on a paid plan, please post the domain name and we’ll escalate without a ticket #.

LucaDuca · November 23, 2023, 6:39pm

Thank you very much, anyway, given that it’s not a serious problem for me (I posted it here just to know if it’s an already-known issue), the (somewhat “crude”) solution that I have adapted is to move the zone to another Cloudflare account to reset Universal SSL to its initial state.