Hi, My SSL universal certificate expired


My SSL universal certificate expired . I tried to “disable/enable universal SSL”, delete and add the domain again but I don’t see any result.

This domain isn’t using Cloudflare DNS Record. You need to renew the certificate on the host

How do I do this??
Do you name server?
I change dns to!!

That is a resolving nameserver and has nothing to do with your domain. Even if you add your domain to Cloudflare, you need a certificate on your origin server. You need to fix that with your host first.


I created a new subdomain and got a certificate.
I have 10 subdomains, all of which have certificates
But this subdomain has a problem

I see Cloudflare nameservers on your domain.

domain:		mahurant.ir
ascii:		mahurant.ir
nserver:	blair.ns.cloudflare.com
nserver:	michael.ns.cloudflare.com

Your subdomain is too deep for universal SSL.


The proxy certificate could still be fixed, but that won’t fix the server certificate of course :slight_smile:

To emphasize the point @sandro is making, you need to have a valid certificate on your origin server. Fix that at your host before you worry about Cloudflare.


All my subdomains are deep

And two days they got certificate.

Check it

That name is also too long for Universal SSL.

Not from Cloudflare. If you look at the IP of that name, it is not :orange: proxied. The certificate is on your origin server. You need to obtain the certificate for your new subdomain the same way you did for this one.

1 Like

Do you mean that my certificate is from Hetzner?

But I don’t think
so, my deep subdomains got a certificate from Cloudflare with proxy ON.
I create subdomain with the proxy off. Is it not possible to activate it manually for me?
I think this is a bug

The whole thing is not Cloudflare related in the first place. @Cyb3r-Jak3 already mentioned how to address this, contact your host.

1 Like

Your certificate is from Let’s Encrypt. It is on your server at Hetzner. You are not using the :orange: Cloudflare proxy, ergo it is not possible for you to have a certificate from Cloudflare.

It is not a bug.

If you have an Advanced Certificate Manager subscription on your domain, it is possible, but again, you still need a certificate on your Hetzner server. You have one your other domain. If you don’t know how you obtained it, then you may want to

There is nothing more that Cloudflare or the Community in provide in this matter.


Cloudflare sits on top of your origin server if the DNS record is proxied. In this case, you will have a certificate from your origin server and also from Cloudflare. So you will have 2 SSL certificates, which is pretty much required for the Cloudflare proxy to work properly.

If you do not have the DNS record proxied, Cloudflare cannot get involved at all and you will only have a certificate from your origin server.

Note that Universal SSL won’t cover subdomains that are too deep. So if you would like it proxied, you’ll need to buy Advanced Certificate Manager and fix your origin server SSL.

If you don’t want it proxied/don’t want to use it with Cloudflare, disable the proxy altogether and fix your origin server SSL.

There are some insecure methods too, but they don’t need to be covered.

Hope this helps.

1 Like

Other than this misnomer, you have provided a thorough summary. While I know that you understand it, I will elucidate for the benefit of the reader who does not.

The certificate on the origin server encrypts the traffic between the Cloudflare proxy and the origin server, while the edge certificate only encrypts traffic between the Cloudflare proxy and the visitor, so there is no double encryption happening.

True, and for that reason - and for being a legacy setting - doesn’t even need to be discussed.

As mentioned, the whole thing is not a Cloudflare issue and @Cyb3r-Jak3 summarised already what the OP needs to do.

1 Like

Fixed. What I meant was technically correct with context. It’s double layered because there are 2 certificates (2 being double what you’d have if it was just your origin server and no proxy).

So there’s double/2 certificates, but yes you’re right when you say no double encryption. I didn’t mean double in that sense. Maybe a misunderstanding of what I meant there?

I’ve edited my reply to avoid people assuming that’s what I meant, as it’s kind of implying that I guess depending on how you read it.

Maybe you’re right. But I wanted to at least give the option.


I know, but I felt like getting involved as I’m allowed to. :slight_smile:

No offence, but I’d argue it’s not much of an option. It will only make the site insecure and drop proper encryption.