Outlook persistently shows an error that seems related to the origin certificate

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
Extensively in the docs and using online searches

Please share your search results url:

When you tested your domain using the Cloudflare Diagnostic Center, what were the results?
This link does not work

Describe the issue you are having:
I have successfully set up Cloudflare on my site. Everything runs fine.
When I open outlook, I get an error. It happens with all email addresses.

What error message or number are you receiving?
“The target principal name is incorrect”
“A certificate chain processed, but terminated in a root certificate which is not trusted by the root provider”

What steps have you taken to resolve the issue?

  1. Installing the certificate in outlook. The procedure succeeds but nothing changes.
  2. Making registry edits to supress errors in outlook. (AllowOutlookHttpProxyAuthentication, SuppressNameChecks, SupressNameChecks, ShowCertErrors) No change.
  3. Buying a multi-domain SSL certificate for the site (I cannot add Cloudflare as a SAN apparently. I don’t know if this would have even worked)
  4. Changing outlook to use the server IP instead of the mail.reagent-tests.uk (it just reverts back to mail.rea…
  5. Disabling Cloudflare DNS for the Autodiscover A-record

Was the site working with SSL prior to adding it to Cloudflare?
Yes, I never had this problem before using Cloudflare.

What are the steps to reproduce the error:

  1. Open or restart outlook

Have you tried from another browser and/or incognito mode?
Not applicable

Please attach a screenshot of the error:

I am a chemist by training so unfortunately a lot of the language around this is unfamiliar to me, I’m not able to find anyone with the same problem and I have tried all the solutions for similar sounding problems I found online.

The Cloudflare Origin Certificate you installed, is provided for you to use on your server, when you are dealing with Proxied (:orange:) records, it will error out like this, when you are using Unproxied (:grey:) records.

Stuff like e.g. mail servers, where you must use Unproxied (:grey:) records, you won’t be able to use the Cloudflare Origin Certificate without seeing these certificate warnings, as the certificates aren’t publicly trusted.

If you want to avoid such warnings for records that are Unproxied (:grey:), you must obtain a valid certificate, such as for example through Let’s Encrypt.


The screenshot you posted indicate “Apache’s Installed SSL Resources”.

Apache is a web server, not a mail server, so I would somehow doubt that you’re looking in the right place.

The application (apparently running on NameCheap(?)) that needs the certificate changed, is called Dovecot, which serves your IMAP and/or POP3 connections, that your mail application (e.g. Outlook, according to your message above) uses to retrieve messages through.

SMTP (which you use to send messages) seem already seem to present a proper certificate from my end, that currently appears to be valid starting from Jan 12 00:00:00 2023 GMT towards Feb 12 23:59:59 2024 GMT.

So it seems like you are maybe making progress already.

May be on the same page you screenshot above, but if not, try looking for an option in your cPanel/WHM for something in a path like this:

Service Configuration → Manage Service SSL Certificates

Then look for “Dovecot”, and replace the certificate in there, too.

Alternatively, if you find nothing indicating “Dovecot”, it could possibly be named “POP3” and “IMAP” too.


Thanks, I found it tucked away in a settings page.

You can flag the post, select Something Else, and add a brief explanation.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.