Cludflare Certificates not visible on broswer only edge certificates are visible


I have been using Cloudflare for a while now and am facing issue where I deploy Cloudflare origin certificate on server and turns out universal certificate is already enabled and site only reflects that Lets encrypt certificate when i disable universal certificate its show ssl version/cipher mismatch error.

while before that since traffic was proxied from Cloudflare visiting the site would reflect Cloudflare origin certificate instead of that universal certificate.

Looking for a solution where the lets encrypt certificate is not used and my website reflects cloudflare certificate.

Answer these questions to help the Community help you with Security questions.

What is the domain name?

You are mistaken. That’s not how Cloudflare works. When a site is proxied Cloudflare is responsible for displaying an SSL certificate to the visitor because it is providing SSL termination in order to provide security and performance services. Disabling Universal SSL in lieu of having a certificate you have purchased / deployed on the edge leaves no way for Cloudflare to perform this inspection and results in the cypher mismatch error you are experiencing.

If you want to communicate directly with the origin server you can disable the :orange: proxy in DNS and set the record to :grey: DNS Only.But Cloudflare’s origin certificate will simply product a different error as it’s not trusted by browsers or really intended to be used in a manner where Cloudflare’s edge isn’t the service connecting to it.

1 Like

So is there a way to display Cloudflare’s below attached certificate on browser instead on display Lets encrypt certificate.


That certificate is not issued by a valid certificate authority. Cloudflare is not a trusted certificate authority. That is why they use partners like Let’s Encrypt to issue valid certificates for them to display on Cloudflare’s edge. The certificate you have will not be trusted by the client’s browser. You can not use it on Cloudflare’s edge.

If you want to connect to it directly you need to disable Cloudflare’s proxy and send the traffic directly to the origin :grey: .

1 Like

I understand your point, However is this change implemented now,
Because earlier I used Cloudflare certificate origin certificate to deploy it on server did TLS/SSL setting as full strict and Cloudflare was displaying above shared certificate on our site instead of that Lets encrypt certificate. Please visit it show cloudflare certificate however it is different than what is deployed (origin certificate from cloudflare)on server.
But now it is showing edge certificate on browsers instead of the cloudflare certificate which was displayed earlier

You seem to have confusion around the term edge certificate. An edge certificate is known by that name because of its location on the network. The certificate detail from your screenshot is of an edge certificate, not an origin certificate.

The edge certificate is the one presented to your visitors by the Cloudflare proxy. An origin certificate goes on your server. It may be from a publicly recognized certificate authority or the Cloudflare Origin CA. The latter is trusted only by the Cloudflare proxy and will display an error in a web browser.

Cloudflare uses multiple certificate authorities. While the certificate you shared says that it was issued by Cloudflare Inc ECC CA-3 it is from the DigiCert CA. That issuer is being phased out of Cloudflare and while not yet completely gone, they will no longer be used at some point in the future.

You can add more control over your certificate issuer preferences by adding Advanced Certificate Manager. If you want to provide your own edge certificate, you can use Custom Certificates on the Business or Enterprise plans.


This is possibly due to configuration of the domain/server.

See that is going through Cloudflare

$ dig		187	IN	CNAME 187 IN A 187 IN A

but is not

$ dig		203	IN	A

And there is a LE certificate on

$ curl -svo /dev/null 2>&1 | grep -E '(issuer|subject)'
*  subject:
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; O=Let's Encrypt; CN=R3

while has a Cloudflare certificate

$ curl -svo /dev/null 2>&1 | grep -E '(issuer|subject)'
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.;
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3

And while and both redirect to the latter is a little hit-and-miss in terms actual connectivity to the nginx server.

The issue is that has the Cloudflare Certificate showing up on the edge browser and that is CA authorized as its not showing red broken lock, but another website, is showing Let’s Encrypt Cert on the browser.
Considering the fact that both have origin certificates from cloudflare on server and traffic of both is proxied through cloudflare.
How do I make it so that also shows Cloudflare Cert instead of showing Let’s Encrypt Universal Cert in the browser…
I hope that i have made you understand the exact issue already answered this question for you.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.