Edge certificate expired and did not renew. Have to pause CloudFlare in order for site to be accessible

Hello! I have a site that was working fine over SSL. The universal edge certificate expired yesterday and failed to renew. The site is now inaccessible until I pause Cloudflare. When I pause Cloudflare the site works again using the hosting origin certificate.

Previously the site was working fine over full (strict) SSL for the past year.

I’ve followed all the common solutions I’ve seen in the community forum here to try and get the expired certificate removed and a new one issued. Nothing has worked. I have about a dozen or so more sites that I suspect this will soon be an issue on. (I believe most of these were digicert certificates issued about a year ago.)

What steps have you taken to resolve the issue?

  1. Disabled Universal SSL , waited 15 minutes and reenabled. Tried again waiting 2-3 hours before re-enabling. Didn’t work.

  2. Tried unproxying and reproxying the domain in DNS settings.

  3. Tried using API to switch certificate etc and no matter what I’m unable to use API calls. It always tells me authorization headers for email, global api key are missing even though they aren’t. I’m following the api documentation examples and substituting in my global api key, zone id and account emails in the appropriate places. I even tried creating an api token and use the api token authorization bearer method instead of the email and authorization key. It still won’t.

I’ve opened a ticket (#2575949) but I’m willing to try suggestions if I’ve missed something. Thanks!

1 Like

Just wanted to update the thread. Support ended up contacting me back. They were able to issue a new certificate for the site. I don’t think anything on my end was going to make it work. Just seemed to be stuck. Now if I only I can figure out what’s wrong/what I’m doing wrong with API authentication and cURL. Another problem for another day I suppose!

So I noticed another one of our sites had the same thing happen: the expired universal edge SSL certificate expired and did not renew. When that happens the only way to make the site accessible is to pause Cloudflare. These are domains using CF name servers. Nothing I’ve read here in the forum seems to help.

  1. Disabling Universal SSL waiting 15 minutes to a few hours and re-enabling doesn’t work.
  2. Grey clouding and then re-proxying DNS does nothing.
  3. I can’t get any of the API cURL commands to work. . . although I’m not convinced they would help even if I could get them to successfully run.
  4. I haven’t tried deleting the domains and readding to Cloudflare, but I’ve seen other posts where people have reported that doesn’t help either.

Does anyone have any other suggestions? I have another dozen to a dozen and a half domains. It’s becoming apparent none of my Universal edge certificates are going to autorenew. I’ve got another 8 or so with certificates expiring this month. Contacting support to get each one fixed isn’t going to be fun for me or support. (I’m on the free plan so I have to jump through a few extra hoops to get help.)

Update: I figured it out.

It appears there may be a known issue with the old Digicert issued certificates not auto renewing when the times come. Evidently CF no longer uses Digicert to issue the universal free edge certificates. They use Let’s Encrypt. When the time comes for an old digicert certificate to auto-renew it can’t without errors and it fails. At least for me. No warnings. Site just went dead with cypher mismatch ssl errors in browsers etc. Luckily I discovered the issue on the first 2 affected domains withing 24 hours.

The disable/re-enable universal SSL didn’t work. Just re-issues/re-enables the expired certificates for me.

If you open a ticket (even as a free plan user) support will typically be able to issue a new certificate for you. I didn’t want to do this for nearly two dozen domains.

I could NOT get cCURL commands to work in windows. I was unsuccessful using Window’s built in cURL and downloading the latest Windows package and trying that. I could never get successful authorization.

The commands seem pretty simple and I was able to run other API calls/command via cURL. I’m sure I was doing something wrong or something was off with my setup for CF authorization. I’m admittedly new to cURL and was running out of time and patience to dig deeper.

What did work was creating a free Postman account and using the Postman desktop app to use the API and change the SSL certificate provider to Let’s Encrypt. When I did this, it forced Cloudflare to issue new certificates and back up certificates for my domains.

Since I know many are probably new to this and in the same boat I thought I’d share what worked for me on Windows. Here’s a quick run down of what I did to successfully use the API to issue new Let’s Encrypt issued certificates for the older DigiCert domains in my account. Essentially Postman is a graphic user interface to help make issuing API commands you would normally issue via a command line interface.

  1. Create API Token in Cloudflare.
    I created an API token in Cloudflare with proper permissions. I think something along the lines of permission to read and write Zone Settings and SSL and Certificates. I then used that token for

  2. Create a free Postman Account

  3. Download and install the Postman desktop app (I’m on windows)

  4. Select PATCH instead of GET

  5. Entered the following URL:
    https://api.cloudflare.com/client/v4/zones/**ENTEREDMYOWNZONEIDFROMCLOUDFLAREHERE**/ssl/universal/settings

Note you need to obtain the “Zone ID” for your domains. Copy and paste that in the URL above where text indicates you need to do so. It is listed in Cloudflare in the “overview” area for your domain(s).

  1. Click the “Headers” Tab in Postman. Select/enter “Content-Type” and then select JSON as the type

  2. Select “Auth” tab in Postman and Select “Bearer Token” under type. You can then cut and paste your Cloudflare API Token number in the value area. (The token you created in step 1.)

  3. Click the “Body” tab. Select RAW and ensure JSON is the type.
    I then typed:

{"certificate_authority": "lets_encrypt"}

in the body area.

  1. Click SEND. You should get a success or failure response. If it fails the error message should give you an idea of what went wrong. This forces CF to issue new certificates via Let’s Encrypt and replaced the expired or existing Digicert issued certificates.

  2. You can view the edge certificates within Cloudflare SSL settings. You’ll probably see the new certificate pending TXT validation along with the old ones. Give it a few minutes. Cloudflare handles all that for you at this point. Soon the old expired certificates will be gone and the new Let’s Encrypt certificates should be active. You can easily verify the certificate in a browser or via API if need be.

Sorry for the long post. I’m hoping it helps someone along the way.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.