I have several web sites, all set up through cloudflare (free several years ago that now are giving this error. I don’t monitor these regularly so not sure how long this has been going on. Cloudflare for this site shows this:
SSL/TLS encryption
Current encryption mode: Full
The encryption mode was last changed 6 years ago.
Automatic mode enabled a month ago.
Next automatic scan on: 01/20.
On one of the other sites that showed the same, I changed the SSL from Full to Flex to OFF and then set to Automatic. I also tried pausing cloudflare and turning on Developer Mode. None of these had any effect.
The sites are all on a Windows VPS under IIS. I have recyled the app pools, turned the sites on/off - no effect.
Sites are all registered with cloudflare and DNS is set up on cloudflare.
Would anyone have any suggestions on what might be the issue or what else I can try?
Might be your SSL certificate isn’t valid anymore, therefrom you’d need to double-check and renew it.
Might be the connection between Cloudflare and your server detected some issue such as the SSL certificate at your origin host/server for your domain expired, therefrom Cloudflare tries to establish a connection over HTTPS and 443 port, but cannot.
Before moving to Cloudflare, was your Website working over HTTPS connection?
Best way is to temporary Pause Cloudflare for your site. Wait few minutes. Double-check the origin SSL certificate. Renew it. After the Website works okay over HTTPS, un-pause and all good.
Steps for troubleshooting:
Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
The link is in the lower right corner of that page.
Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
Check with your hosting provider / Plesk panel / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and manually click to renew it
Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s set to Full (Strict).
The site is now visible but is not secure. Here’s what I did so far:
1 - the origin ssl cert had expired on cloudflare so I created a new one. This is showing up on my server end under certs and also on cloudflare. I am assuming this is working
2 - the edge cert on cloudflare shows as ‘pending-validation’ . I looked this up and found a suggestion to disable universal ssl then re-enable it to force validation. I did this about 40 hours ago but it still shows as ‘pending’
3 - IIS has a switch to force SSL. The site won’t work with this on. With it turned off the site shows but says it is not secure
So I’m guessing that the origin certificate is working and the problem is due to the edge cert but I’m not really sure. I have a couple of sites all having the same problem and all show the edge certificate as ‘pending validation’.
Make sure you’re using correct domain nameservers for Cloudflare
Make sure DNS records are proxied
Navigate to the bottom of the SSL tab/page settings at Cloudflare dashboard
Click on the button “Disable Universal SSL” and wait for a five minutes
Click the same button again to Enable Universal SSL
This method usually reset the process of generating Universal SSL certificate
Here are some suggestions:
Was it Cloudflare Origin CA certificate?
See my step-by-step instructions how did I do it to make sure my IIS works over HTTPS (443) and using Cloudflare Origin CA certificate with Full (Strict) SSL.
Universal SSL certificate is “active” on the domain and DNS records are proxied
Thanks Fritex,
DNS looks good - proxied - this hasn’t been touched in years
I earlier created a new origin certificate which shows in my IIS under certs. I think this means it is valid.
The edge certificate has showed ‘pending-validation’ for 44+ hours so I disabled Universal SSL for 10 minutes then turned it back on. Still shows ‘pending validation’.
toggle DNS proxy off for 1 minute then back on - did this
toggle universal ssl again (waited another 10 minutes)
2 other things that I did not do (not sure how to)
Edge cert still says ‘pending’
This page also says to pause cloudlfare if you want your site to work while this is still ‘pending’ so that’s what I’ve done.
So I an assuming that the edge certificate is my problem.- not sure what to do other than wait
May I ask if you’ve got DNSSEC enabled at Cloudflare?
Before moving to Cloudflare, was it active and enabled from your ex hosting provider?
Could you please check DNSSEC option at Cloudflare dashboard and also at your domain registrar for any clue of any DS record there?
If there is some which doesn’t look like and doesn’t have the value from Cloudflare DNSSEC, please remove it. Disable DNSSEC at Cloudflare as well.
Then we wait, and re-try again to fix the “pending validation” SSL issue .
