Cloudflare origin certificate certificate is not trusted

I originally had cloudflare installed with a SSL from cpanel so when I disable or pause cloudflare my site is still secure and I get the lock next to the domain. However I tried installing cloudflare orgin SSL and when I pause cloudflare it says the certificate is not trusted.

My question is how do I know if my site is secure from cloudflare to my server if Im getting a non trusted certificate when I disable cloudflare.

Is it more secure to use the CPanel SSL or Cludflare origin SSL?

I noticed that if i’m using the clouflare one it allows me to select full(strict) which seems more secure

Origin certificates are only trusted by Cloudflare but not by browsers. If you keep your records always proxied, you can keep the Origin certificate, otherwise you should configure a publicly accepted one, such as e.g. Lets Encrypt.

Hey Guys,

Had a similar problem myself. Been running Cloudflare Origin certs for a few months - plus HSTS preloaded on the Chrome browser list. Everything running smoothly on 10 sites.

Then Thursday evening I log into cPanel and it says domain not pointing on my primary domain. When I enquire support says that the IPs were updated and I’m still on the old ones. Flush your DNS settings and tick the two boxes to keep same settings.

Longest two boxes I’ve ever ticked. :slight_smile:

So initially I’m thinking DNS issue - not a certificate issue. Eventually I got to the bottom of it, deleted all the origin certs and installed the Let’s Encrypt from Hostinger.

My question is why has it been okay up till now if browsers don’t accept them? Especially when my sites are hard coded into the browser?

Would also like to point out - that people are wrongly saying that it’s only for the Origin because they call it an origin certificate - but it actually encrypts from end to end - so browsers do support it.

Unfotunately I haven’t got a screen shot of the error messages, but it said something to do with hidden details so they couldn’t verify it.

Apologies for the long post.

If your site is :orange: in Cloudflare then the users are seeing a valid certificate delivered from the Cloudflare edge, and Cloudflare is seeing your Cloudflare Origin cert. Users are not connecting to your origin, so never see the Cloudflare Origin cert.

Hi Michael, that’s exactly how I understood it… initially. But the diagram explains it as if it’s one single conection regardless whether you’re running full or strict SSL. The only difference it seems is that the strict certs are names individually whereas the let’s encrypt ones are universal.

Also they’re both installed on the origin so that’s misleading anyway, surely?

Maybe the diagram is to simplify it for the website?

And the origin certs aren’t as strong cryptographically, I don’t think. Roughly half the size.

  1. When I first installed it at Hostinger, both certs showed at first. Then it only started showing the Cloudlare cert.
  2. They have been working for at least 4 months up until two days ago.
  3. Seems strange that all of a sudden they were flagged on every browser?
    Thanks for your help.

It is definitely not a single connection. There is a TLS connection from Browser to CF, then a separate connection from CF to your Origin. From the documentation:

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

The default origin RSA cert has a key length of 2048, which is the current norm. You can upload a CSR specifying a longer key length.

You say you or your provider made changes to certificates and/or IP addresses last Thursday. It is likely that that change was the cause of the error messages you saw.

1 Like

Yes, that’s how I originally thought it was, but I’m now aware of exactly what went wrong.

  1. Cloudlflare origin was working in combination with Cloudflare SSL.

  2. It does say you will get errors if you pause Cloudflare with this setup.

  3. I’ve only paused CF temporarily, but with my IP address issue it was paused longer so gave the errors time to kick in.

It was pausing CF that caused my problem. Not an issue with how anything was installed.

The certificates are actually smaller, not less secure. It’s a difference in size that I had mistaken for a less secure cert.

Thanks for the help.

This topic was automatically closed after 30 days. New replies are no longer allowed.