Let's encrypt is being set as an edge certificate


I have an account with a few Cloudflare protected domains added already. All of them work fine. But now I added a brand new domain I just bought, changed the nameservers as usual and then waited until cf generates the edge certificate for me. However it wasn’t the usual Cloudflare cert, but Let’s encrypt.

Surprisingly it really says lets encrypt when I visit the site as well, even though the orange cloud is active, so cf is proxying the site.

This wouldn’t be an issue, as the site works in Firefox, but many other things such as curling the site or embedding links from my site to social media sites fail (the social media scraper cannot parse the opengraph metadata, because they find the cert invalid).

Curl reports the following:

curl -I https://domain.com
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

I assume this has to do something with tls tickets.

And I found absolutely no way to migrate to normal Cloudflare certs. When I added another domain, it got a fresh cf one tho.

I have also tried deleting the domain from the Cloudflare network and then shorty after readding it. Didn’t help unfortunately.


The Let’s Encrypt cert is just as valid as the Cloudflare cert. It could be the other connections aren’t yet going through Cloudflare, or it’s a TLS/SSL setting here.

Give SSL Server Test (Powered by Qualys SSL Labs) a try and see if it reports any issues.


Cloudflare isn’t a certificate authority, so it’s never been a ‘Cloudflare cert’ per se. :slight_smile:

1 Like

Seemingly it was only happening with the old curl version windows uses. Works fine with the latest stable. However social media (Discord) still fails to scrape it.

There is absolutely no way to switch over to the cloudflare certificate though?

Good point, I meant the Cloudflare Inc ECC CA-3 certs.

This is probably an issue with minimum TLS level set for the zone vs. the certificate in use. There’s no real effective difference between a public cert issued by Let’s Encrypt vs. another CA.

1 Like

If you subscribe to Advanced Certificate Manager ($10 per domain per month) you can choose between Digicert and LE as the CA. You can also upload a custom certificate from a CA of your liking on Business and Enterprise plans.

I didn’t touch anything regarding the minimum tls level, it’s the default Cloudflare sets. But if the default is incompatible with the particular cert setting maybe that should be noted somewhere?

I was attempting to troubleshoot the actual issue with your 3rd party tool based on the information provided not making a comment about Let’s Encrypt vs. any other certificate type. Perhaps Discord can explain to you why their tool is failing. provide additional diagnostic information… it’s extremely unlikely that it’s because the certificate is issued by Let’s Encrypt.

1 Like

Well, I got no clue, but the only difference between the two domains is the cert. One works with discord and the other doesn’t. Since I had that issue earlier with an older curl, I assumed that might be the case that the LE cert is somewhat wrong.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.