Freehostia Full strict mode with Origin CA certificate

I am having a hard time to set ssl end-to-end
The site is hosted at freehostia and if i set ssl to flexible mode then everything is fine.
To be able to change it to strict I tried to use Origine CA. I have generate an Origin Certificates, I received the key and the certificate.
However Freehostia request 3 fields to set ssl to a domain : key, certificate and CA. According to different doc I could read I used the Cloudflare Origin CA root certificate for the CA field and the corresponding elements for the 2 other fields. Freehostia accepted it and it looks like the domain was secured with ssl
I switched then from flexible mode to strict mode and as result the site is considered as non secured with the famous message " Your connection is not private"

Did I miss something? what did I do wrong?

Thanks in advance for your help


But if SSL works and you just get an untrusted certificate warning that might be because you aren’t going through the proxies yet but connect directly. In that case you will get such a warning as Origin certificates are not trusted by browsers. Just wait a couple of hours.

Thanks for the reply Sandro.
The domain is

The error has changed to 521 but the server is not down for sure.

Does the IP address you have configured on Cloudflare end in 171?

That machine appears to respond and there is the correct certificate configured. However the site’s content does not really seem to match the domain.

Sorry I am confused. I do not have configured an IP address on Cloudflare. I do not know what is this IP address ending by 171

Post a screenshot of your DNS records on Cloudflare.

The certificate appears to be correctly in place on your server. At this point you most likely have the wrong IP address configured on Cloudflare. But also verify the content on the server, as that will hardly match your site.

Replace the IP addresses with “”.

Where/how did you find this IP address Sandro?

It should now work, right?

It has for a few minutes and now not anymore

Seems to work fine for me

There was briefly an error, but that came from your server and you’d need to talk to your host about that.

Sandro, the IP address I set is the one my host provide me so please tell me where/how did you find this IP address?

I’m not quite entirely sure this is how it’s supposed to look.

Footer says, which looks to be hosted by Google User Content.

I did a replica of the site for test on gamernewsletter trying to find solution to speed up the site.

Right now, on my side, the site is swtiching from secured (as you shown) to not secure with the following error
Subject: CloudFlare Origin Certificate

Issuer: CloudFlare, Inc.

Expires on: Jul 1, 2035

Current date: Jul 5, 2020

PEM encoded chain:

That’s a direct connection. And if its switching back and forth, that sounds like DNS hasn’t fully propagated. That can take up to 48 hours.

ok great so I will wait.
However, as you have understood, this is a test and I would like to be able to reproduce it so I would like to know the way to get/check the right IP address as Sandro did (different form the one provided by the host) for future implementation. Please let me know how should I do it

Well, it does work, doesn’t it? If you are not sure about the IP address contact your host.

The earlier IP address does not support TLS.

This topic was automatically closed after 30 days. New replies are no longer allowed.