Universal SSL Certificate Expiry


My website is displaying a security message due to the certificate which is expired even though cloudfare shows it is within date. I have tried a number of solutions inc sending a support ticket which will not be responded to due to me being on the free package.

Please can someone help resolving this issue. My website is theonlinesweetshop .com

Thanks in advance

You don’t appear to be using Cloudflare with that DNS record DNS Checker - DNS Check Propagation Tool

Did you already open a support and it was closed or were you unable to open one?

Thanks for your reply…

That’s strange, the tool you send states the same DNS names as per my account on Cloudfare.

I think the ticket is there but it states If you didn’t find your answer in an existing post or the resources listed above, start a new thread (don’t forget to include “Certificate” in the details).

Can someone please help me with this issue. Support are not being veru supportive to this free loader and have said to ask the community for help.

The DNS record for theonlinesweetshop.com is :grey: (unproxied), and goes directly to your Hetzner server.

On the other hand, the DNS record for www.theonlinesweetshop.com is :orange: (proxied), and jumps over the Cloudflare network first. However, www.theonlinesweetshop.com is then redirecting (back to) to theonlinesweetshop.com.

Cloudflare (for :orange: records) is currently presenting a certificate that expires on 2024-01-09.

See: crt.sh | 8382745110

Hetzner (for your :grey: records) is currently presenting a certificate that expired on 2023-01-10.

See: crt.sh | 7731893087

The Cloudflare Universal SSL will only work for :orange: (proxied) records, and as such, you literally have the following options:

  1. Renew the certificate you have installed on your Hetzner server, and the issue you see have will vanish.

  2. Change the DNS record for the parent domain (theonlinesweetshop.com) to be an :orange: (proxied) record instead, if you wish to take advantage of the Universal SSL from Cloudflare.


You have Cloudflare paused right now (at least on the apex domain), which is fine because it let me view the expired certificate on your origin server. That certificate expired two days ago. Normally the Let’s Encrypt certificate on your origin server should auto-renew at approximately 60 days into its 90 day lifespan. Of the three challenge methods used by Let’s Encrypt, the most common is known as HTTP-01 and it needs to connect to your server over HTTP (not HTTPS).

There are some Cloudflare settings that can disrupt that connection. The site setting for Always Use HTTPS is the one most likely to disrupt the renewal process. You can use a rule to force requests to .well-known/acme-challenge/* to always be sent via HTTP. A subsequent rule can be used to force everything else to use HTTPS.

I don’t know how you obtained the Let’s Encrypt Certificate on your origin site, but you need to either renew it, or if it is easier, you could replace it with a Cloudflare Origin CA certificate which is a special certificate that is trusted only by the Cloudflare proxy. Either of those methods will let you connect both your www and apex names using the Cloudflare proxy :orange: and Full (Strict) SSL.