Origin SSL/TLS Certificate cached?

I have a letsencrypt wildcard certificate on my origin server. The origin server hosts multiple virtual hosts.
SSL / TLS is in full strict mode
Now I have renewed the Letsencrypt certificate, when I access hosts then I get the following results:

  • For hosts that are configured DNS only, the browser sees the renewed certificate
  • For hosts that are configured Proxied, the browser sees the old certificate
    To me it looks like the Cloudflare proxy caches certificates.
    If so, how long does the proxy cache certificates and can I automate a refresh. We update Letsencrypt certs on a regular basis and we don’t want to run in a situation where we have to deal with expired certificates.

Proxied records will never show your origin certificate - they will see the Edge Certificate generated by Cloudflare’s Universal SSL or Advanced Certificate Manager.

2 Likes

Hm, when I look at the certificate, it tells me that it has been verified by Letsencrypt and it has even the same expiry date as the old origin certificate.

You can see your edge certificates here: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

They can be issued by DigiCert, Comodo or Let’s Encrypt. Unless you’re using Custom Certificates (Business plan or above) where you upload the certificate yourself, they’re fully managed and renewed by Cloudflare.

2 Likes

Thanks, got it.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.