Outlook suddenly shows an error message that the Cloudflare certificate is not trusted

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Please share your search results url:
This seems kinda related:

When you tested your domain, what were the results?
Access via the browser is secured, Outlook causes problems

Describe the issue you are having:
Yesterday everything went smoothly, this morning I wanted to check my mail in Outlook and was told that the Cloudflare Origin CA is not trusted

What error message or number are you receiving?
A certificate chain was processed but ended with a root certificate that is not trusted by the provider

What steps have you taken to resolve the issue?

  1. Reassigned the certificate
  2. Created a new LetsEncrypt certificate to handle the mail services.
  3. Checked the validity date of the Cloudflare certificate

Was the site working with SSL prior to adding it to Cloudflare?
Everything worked until this morning, no changes were made, the error came out of nowhere

What are the steps to reproduce the error:

  1. Open Outlook
  2. Wait until Outlook tries to retrieve the mails from the server

Have you tried from another browser and/or incognito mode?
This is not a browser problem
Please attach a screenshot of the error:


You cannot use the Origin certificate for anything related to email.

That is the correct dolution. If the Origin certificate is served for POP3 / IMAP anyway, the problem lies with your mailserver configuration.

1 Like

I have attached a few screenshots showing my configuration.
For the mail services etc. the “R3” certificate is used, so LetsEncrypt.

The error still occurs though, I’m just wondering how this can happen so apruptly as there was no problem at all yesterday and definitely none of the certificates have expired, no configurations have changed in Cloudflare or on the mail server either.



Which names does your “r3” certificate cover?

It is a wildcard cert, so it covers “zeitra.net” and “*.zeitra.net”


Honestly, if you have a valid wildcard certificate anyway, I’d just delete the Origin certificate. It should hopefully not cause any problems then.

Just out of curiosity, do you obtain your wildcard cert by performing the ACME DNS challenge by hand?

Honestly, if you have a valid wildcard certificate anyway, I’d just delete the Origin certificate. It should hopefully not cause any problems then.

But then I would not be able to activate the “Full (strict)” encryption mode in Cloudflare, which would be a disadvantage.

Just out of curiosity, do you obtain your wildcard cert by performing the ACME DNS challenge by hand?

Yes, because the auto renew of LetsEncrypt from Plesk does not work, because Cloudflare is on top of it.

I just tried again, I deleted the Origin certificate and also the R3 certificate, I recreated both, the error still occurs, see screenshot.

I would understand the current behavior if any configuration or similar had changed, but that the Cloudflare Cert is simply classified as untrusted from one day to the next, I find strange, especially since on our part definitely no changes were made to the configuration, neither on the server nor in Cloudflare.

Why not? The LetsEncrypt certificate is perfectly compatible with Full (strict) mode.

This will be a problem with the mailserver configuration. Again, I would just delete the Origin certificate.


Oooh silly me…

Totally overlooked the part with “trusted CA or Cloudflare Origin certificate”, your suggestion makes sense then of course!

I’ll change that right away, and report back here how it turns out!


I have just removed the Origin certificate from the server and switched everything to the R3 certificate.
I can report that everything is now working as expected!

Thank you very much for your help @Laudian !


Since you mentioned this earlier, do you maybe know a way to automate this process, since I dont really want the certificate to be dependent on a person that changes it after it expires.

I know LetsEncrypt has a renew feature but how can i make this work with cloudflare, since I currently need to pause cloudflare on my site, everytime i re-issue the cert

The ACME HTTP-01 challenge works by providing a file that you need to make available under http://example.com/.well-known/acme-challenge/<filename>.

LetsEncrypt will then try to download the file. If they find it, that serves as proof that you control that particular (sub)domain and they will issue you a certificate for it.

Cloudflare interferes in that process in many different ways, and you have to basically disable all Cloudflare features for that path. You can do this with a Configuration Rule. I haven’t tried it personally as I use the DNS challenge (certbot with certbot-dns-cloudflare plugin), but that only really works if you have root access to the system or they provide an API to update the certificate.

The Configuration Rule should probably look like this:

Custom filter expression
URI Path starts with /.well-known/acme-challenge/
Then settings are…
Automatic HTTPS Rewrites off
Browser Integrity Check off
Security Level Essentially Off
SSL off

If you use Caching, you also need to make sure that this path is excluded.

That should probably be enough, though I could give it a try tomorrow. But you should then be able to use the built-in LetsEncrypt auto-renewal of your panel.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.