Origin server certificate - broken chain of trust


I have the following setup:

  • My server is hosted on Heroku
  • I am using Cloudflare as DNS provider to route traffic to the server
  • I do not want to proxy traffic through Cloudflare (i.e. turning on Proxied on my Cloudflare DNS record)

So I created a origin server certificate on Cloudflare dashboard (using Let’s Encrypt cert), and installed on Heroku. I installed this cert together with the Cloudflare origin RSA PEM cert I found here Origin CA certificates · Cloudflare SSL/TLS docs.

The issue is that I got site not secured warning on Chrome. SSL checker (SSL Checker) is showing that the trust chain is broken. Please see attached image.

Is there another root CA that I need to include in this chain? I have googled but couldn’t find anything. I also tried to add Let’s Encrypt root certs but that doesn’t work either.

I really appreciate some help to fix this.



The Cloudflare origin certificate is only trusted by Cloudflare and therefore requires the use of the proxy, see…

If you don’t want to use the proxy then you’ll need to use a certificate from LetsEncrypt or another trusted CA.