Recently the SSL cert for my host was renewed, but my SSL certs at my host didn’t automatically update. After speaking with tech support they believe it is partially to do with my Cloudflare setup. They advised that Cloudflare doesn’t resolve my actual nameservers (not the CF ones I changed to). I was told to add a new DNS record that points to my real nameservers, but I’m not certain how to do this. Should it be an A record or CNAME record? Besides type and target, I’m not sure what to put as the name. Any assistance would be greatly appreciated.
It sounds like you’re using cPanel. It’s easier just to install a Cloudflare Origin Certificate that doesn’t need to be renewed. You can also try disabling SSL/TLS -> Edge Certificate’s “Always Use HTTPS” feature to OFF, but I prefer the Origin Cert method.
Thanks for your quick response! Yes, I am using cPanel. I created an Origin CA for my primary domain (same as my nameservers) and added them with no problem, but when I get to step 4 ’ Add Cloudflare Origin CA root certificates’ I get a error that self signed certificates will show a warning in the user’s browser. Please advise.
A user’s browser should never see a Cloudflare Origin certificate. The very first warning in the article I linked to say so:
Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.
I installed the Origin certificate, but on step four it says that some servers require the root certificate. When I attempt to install the Cloudflare root certificate, cPanel returns the following error, “This is a self-signed certificate. Self-signed certificates are easy for attackers to spoof, and they generate security warnings in a user’s web browser. You should only temporarily install this certificate until a valid certificate authority issues a signed certificate to replace it.” That is for the RSA root certificate in step 4.
I’ve never had to add the root certificate. I’d either:
- Not use that certificate because I’ve never had to.
- Ignore that warning because Cloudflare knows and accepts its own certificates.
Okay. All my SSL certs have updated correctly since I added the origin certificate. Thank you kindly for your help!
So that configuration worked for 20 days and then today all but two of my client domains showed expired SSL certs in cPanel. I contacted my host and they advised me to change the A records that point to my IP to DNS only. After that they ran auto SSL update and all of my domains that are not setup in Cloudflare updated their certs correctly. However, all the domains I do have setup in Cloudflare still show expired certificates. I don’t understand what changed, but while I was logged into my Cloudflare account today I received two API error warnings. Please advise what I should do now.
It sounds like cPanel is messing up your Origin Certs. Origin Certs default to 15 years. If you have AutoSSL enabled, that might be the problem and you should disable AutoSSL for those hostnames.
What if I remove my reseller domain from Cloudflare? Would that resolve this issue? Not every domain I have control of is going to use Cloudflare.
I am also having trouble with the APIs/cron jobs for my reseller domain running for WHMCS.
So I talked to my host again and they advised me that my CF config has nothing to do with my WHMCS issues. They also suggested to change my encryption level to Flexible and then disable the auto SSL updates. We’ll see how that works.
The problem with disabling auto SSL in cPanel is that mail for my domains stops working because Thunderbird and Outlook will require a security exception to download mail claiming the SSL cert is expired. Clients using Gmail with their email accounts can’t send mail at all. The cPanel certs have to update correctly for email to function without security errors.
Because CF only allow mail to run on a particular port that is not compatible with my host, my mail has to run DNS only. That means my cPanel certs have to update.
This has been a known issue between cPanel and Cloudflare for at least a year.
The solution is to pause CF service for each domain configured to use CDN, then go into cPanel and auto update the SSL certs, then re-enable CF for each domain.
Adding A records for my IP to the DNS settings and the Cloudflare Origin certificate to my reseller domain does not allow cPanel auto SSL to function properly.
For cPanel, I have a separate hostname for mail…because that’s necessary with Cloudflare. I use ‘mail.example.com’, and that hostname is set to . And on cPanel, I’ve disabled AutoSSL for everything, except the ‘mail’ hostname. No problems.