Problem with Full SSL and Origin Certificate


I have migrated my site to Cloudflare (free) and I’m using Full SSL with a Cloudflare generated origin certificate which I installed on my hosting (Namecheap).

However, when I use OpenDNS, my browser shows a warning saying that the certificate in the chain has expired and it shows “expired 2019”.

If I switch to Googles DNS the site loads just fine.
Anyone know why OpenDNS complains that the certificate has expired?

When I open it, it shows that it expires in 2036, so it should be fine.
I generated the certificate under SSL/Origin Server

Thanks in advance

You are probably still using the previous root certificate. Update that with the current one from Managing Cloudflare Origin CA certificates – Cloudflare Help Center.

Thanks for the swift reply.
I forgot to mention that I already installed that certificate on my hosting.
I should also mention that my sites passes all the ssl checks when I run it through DigiCerts, sslshopper, godaddy’s etc check tool.

You could still have an outdated certificate :wink:

What’s the domain?

It’s exactly what I mentioned in the first posting, you still have the old root certificate and need to replace that.

Ok thanks. I guess there’s some other way to install the root certificate on Namecheap that I’m not aware of. Thanks for your help

Check where you configured your certificate. There you’ll most likely also have the previous root certificate, replace that with the new one and you should be fine.

I’ll ask Namecheap support. I can’t see the old root certificate anywhere and I haven’t installed it.
Can I just ask you how you found this out? Is there a site I can use to generate some kind of error that I can use when I contact support?

Thank you for your help

You can pause Cloudflare (bottom right on the Overview screen). You’ll get an SSL warning in that case (because of the Origin certificate) but you’ll also get the expired root certificate.

My guess would be that’s configured together with your actual Origin certificate somewhere in your SSL configuration on your host’s side.

Straight from your server

Generally speaking, the expired certificate shouldn’t be too much of an issue as the proxies do not check the whole chain anyhow and your Origin certificate is valid anyhow.

But, of course, if you want to fix that warning you might still want to update the root certificate.

I updated the CA certificate now but now it says Not trusted (with openDNS). Oh well, I’ll keep digging :blush: Will post if I find a solution

There’s nothing else to do. You updated the certificate as I suggested and now have a valid certificate chain.

Thank you for checking.
I still get an error when using OpenDNS, but I guess the problem is on my end then.

Anyway, it seems to be working when using other DNS-servers, so I will let this be now :blush:

Thanks again

I am not quite sure what error you’d get but you shouldn’t get the Origin certificate in the first place, as that’s something only the proxies will deal with (as I mentioned earlier) but that would be a different issue from the original one.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.