Older browsers cannot see Cloudflare SSL Certificate

My site on Cloudflare with SSL works great, however older browsers that are no longer supported cannot verify/see the SSL certificate.

I understand older browsers cannot verify SSL certificates, but they should still see the certificate and allow the option of viewing the website in unsecure mode. I have seen this working on other domains showing the SSL certificate was issued by “sni.cloudflaressl.com” but I cannot get this to work on my domains in Cloudflare.

How can I solve this?

Which browsers are we talking about? If they do not support SNI, they will never get the certificate in the first place and hence wont be able to load the site either - regardless of whether secure or insecure.

The use case, where I’m seeing the error, is Chrome 49, the last stable version that works using Windows XP.

Chrome 49 should support SNI. Which content do you actually get returned? Post a screenshot.

I’d nonetheless strongly suggest to upgrade XP and Chrome, both are hopelessly outdated at this point and a serious security issue.

I agree people should move on from XP, as support reached EOL in 2016. However, we still have some a small percentage of users continuing to use XP.

This version of Chrome definitely supports SNI, as I have seen other sites using Cloudflare SSL certificates using the same browser.

I know a secure connection is not possible, but I want to solve this so Chrome can still recognize the SSL.

Screenshot of my website, where it does not see the SSL:

And screenshot of another site, using the same browser, and it recognizes the “sni.cloudflaressl.com” SSL:

In that case it could be an issue with the SSL version. The error description actually refers to that. Whats the domain?

The domain is <redacted>

Your site seems to go back to TLS 1.0, so it shouldnt be the version. In that case it might be the cipher. There is a chance a dedicated certificate could fix that, but you should definitely clarify this with support before ordering it.

When I view other sites on Cloudflare, some are using a dedicated certificate because they show issued to the specific “domain.com” and work ok. I was considering this option, but…

I also see other sites on Cloudflare not using a dedicated certificate because they show issued to “sni.cloudflaressl.com” as in the screenshot above, and they work good too.

Any idea or thoughts about why these “sni.cloudflaressl.com” can be seen, where my site cannot?

And thank you for your help, I appreciate it. I’ve read through countless support articles and have not been able to solve this problem.

That might depend on the issued certificates. With such outdated platforms you wont really have any guarantees. My primary advice would be to upgrade these systems to supported versions. Otherwise you could try with a dedicated certificate, but again should clarify this with support first.

I understand. I will contact support and see if they can assist.

From within my Cloudflare control panel, are there any options that could be enabled/disabled that might affect this? And is there a place in the control panel to manually have Cloudflare reissue the certificate and hope that solves the issue?

You could play with the settings at https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates. There you could also disable Universal SSL, wait some time, re-enable it, and hope you might get a different certificate. It furthermore might depend on the overall plan your site is running on.

Support is probably your best contact at this point, though I’d still strongly advise to upgrade that machine :slight_smile:

Thank you again for your help. I appreciate you taking the time.

I purchased a Dedicated SSL for $5 a month. Now, when I view the SSL certificate, the common name shows the domain name and the problem is fixed. Older browsers can view the site, see the SSL, and allow the option to view with an unsecure warning, which is fine for those users.

But I still don’t understand how other Cloudflare website, which clearly show “sni.cloudflaressl.com" for the SSL, can be seen by these same older browsers?

I’m still waiting for an answer from Cloudflare Support…

1 Like

After a lengthy back and forth with Cloudflare Support, I finally got someone from their support team to give me a specific answer for why some Universal SSL certificates issued by Cloudflare work for older browsers, and others do not. To quote:

"There are two active pipelines for SSL in Cloudflare - the new one uses Digicert, while the old one uses Sectigo (Comodo).

These two pipelines have different certificates - hence you can see the difference between sites - even in the same account.

Over this year, all renewals will be moved to Digicert SNI by default. If needed, for any paid plan, we can move to non-SNI support."

Hope that helps anyone else who is having the same problem. Looks like older browsers that support SNI cannot see the Universal SSL Certificates moving forward, and paying the $5 per month for a Dedicated SSL Certificate is the cheapest/easiest solution.

This topic was automatically closed after 30 days. New replies are no longer allowed.