Troubleshooting SSL/TLS issues

This tutorial post covers the steps you should take if you have enabled Cloudflare, but HTTPS is not working on the site.

If your main domain is secure, but a subdomain is not, please see SSL/TLS not working on subdomain.

1. Check that the DNS record is set to :orange:
In the DNS app in your Cloudflare dashboard, check that the DNS record for your domain is set to :orange:, not :grey:. If it is :grey:, Cloudflare is disabled on the site and none of the SSL settings will take effect.

2. Check that HTTPS doesn’t work
If you manually enter https://(www.)domain.com, does it load with the Cloudflare certificate? If so, you are probably not forcing HTTPS, enable ‘Always use HTTPS’ under SSL/TLS > Edge Certificates in your Cloudflare dashboard.

3. Do you see a certificate from your server?
If you see a certificate from your server rather than from Cloudflare, you may be bypassing Cloudflare and connecting straight to the server. You can also check for Cloudflare headers in developer tools. If you are not going through Cloudflare, this may be a local caching issue. You could also test your site on a different device and/or network. There is a specific tutorial on Verifying propagation and caching issues when troubleshooting.

4. Is it a mixed content issue?
If the site loads with HTTPS, but you see a yellow triangle/ red shield / not fully secure message, it means that there is mixed content in the site. This is where the main domain is being loaded over HTTPS, but some resources are loading over HTTP. You can read more about mixed content in this Community Tutorial and you can find information to help you fix it in this Community Tip.

5. Has your Cloudflare Certificate Provisioned?
If you see the errors ERR_SSL_VERSION_OR_CIPHER_MISMATCH or SSL_ERROR_NO_CYPHER_OVERLAP in Chrome and Firefox respectively, it may mean that your Cloudflare certificate has not yet provisioned.
If you go to SSL/TLS > Edge Certificates in your Cloudflare dashboard, you may see the certificate showing the certificate as ‘Pending Validation’ rather than ‘Active’:


It can take up to 24hrs for the free Universal SSL certificate to provision, if it has been longer than that, try disabling and re-enabling Universal SSL to restart the process. More info and further steps to take in Community Tip - Fixing ERR SSL VERSION OR CIPHER MISMATCH in Google Chrome and Community Tip - Best Practices For Certificate Provisioning.


If you still need further help, please post the outcomes of these steps and your domain and the community can try and help.

SSL/TLS Configuration Video:



Tutorial Reference: CT-09

Reviewed: 04/20

This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here. If there is a tutorial you would like to see, you can request one here.

If you would like to provide any feedback on this tutorial, please post in the #Meta category, tag your post #TutorialFeedback and let us know the Tutorial Reference above.

Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community from people in the know that may help you with your issue.

We encourage users to check out these great resources and the Cloudflare Support Centre before posting


3 Likes