I have a full DNS domain on Cloudflare where the Universal SSL Edge Certificate is in a state of “Expired (Error)” Looking at the certificate on the Cloudflare Dashboard this certificate actually expired on 2021-08-09. This error is making my site unavailable for visitors because I am using the “Full (Strict)” SSL setting.

How do I get this certificate to renew?

Here is what I have tried so far:

1. Disable Universal SSL, wait 3 hours, re-enable Universal SSL, wait 36 hours - which did not work
2. Change my hosts from “orange clouded” to “grey clouded” - waited 12 hours - then turned them back to “orange clouded” - which did not work
3. Pause Cloudflare on this site - wait 24 hours - re-enable Cloudflare - which did not work

Is there anything else I can try which would help Cloudflare re-issue the necessary Edge certificate.

I should also mention that I have recently changed this domain from a “partner hosted” Cloudflare domain to a full DNS provisioned Cloudflare domain. I am not sure if that has left any settings in a state that prevent the Universal SSL from working properly. Universal SSL did work when this domain was hosted at a partner, which is why I didn’t notice the SSL error until now.

Thank you for any assistance you can provide.

  --David

You have not stated the domain which makes diagnosing this difficult. Can you share the domain, and also tell us what two nameservers are listed in the DNS tab of the dashboard?

The Edge certificate has no relationship with the SSL mode, Strict or otherwise.

Did the previous Partner deprovision your domain, or did you just change the nameservers?

My apologies - I thought I had included all of the relevant information.

My domain name is visideas.com. It was originally hosted by Hostinger. I had contacted them to ask them to disable Cloudflare and I was told my request was complete. Then I came to my Cloudflare account and deleted the zone entirely. I assumed that the zone was still here because I had some custom firewall rules which I created directly on Cloudflare. Then I added visideas.com back to Cloudflare and changed the nameservers.

I can check again with Hostinger to see if they did not actually complete the de-provisioning if you think that would help.

I have checked with the original hosting company and they confirm that they have removed visideas.com from their integration with Cloudflare. At their suggestion, I have disabled Universal SSL again - waited 30 minutes - and then re-enabled Universal SSL. The certificate provisioning is still in “Expired (error)” state.

The 2 nameservers that I use are fred.ns.cloudflare.com and mary.ns.cloudflare.com

Please close and ignore this question - I am going to try reverting back to my original nameservers, removing the domain from Cloudflare, waiting several days and trying again in the hopes that this clears things up.

Removing the domain Visideas.com from Cloudflare, waiting 36 hours and re-adding the domain did not seem to correct the issue. I am still looking at an Edge Certificate with a status of “Expired (Error)”

My DNS servers are fred.ns.cloudflare.com and mary.ns.cloudflare.com

Is there any way to determine what the error is?

@MoreHelp It has now been 9 days since my last attempt to fix this “Expired (Error)” state in the Edge certificate for visideas.com (on name servers fred.ns.cloudflare.com and mary.ns.cloudflare.com. Is there any way to get this old certificate removed and a new valid Universal SSL certificate created?

Hi there,

Could you create a ticket and share the ticket number with me? I think this would require more investigation on our end.

Best,
Tom

@TKlein Thank you very much for responding. I have opened ticket # 2408048 regarding this issue.

I think the ticket I opened was automatically closed because it did not fall into the account or billing area. Since I am using the free Cloudflare plan for this domain, I am not sure that I am allowed to open tickets. If you let me know the proper process for getting this ticket routed to you, I will gladly do whatever I need to do to help get this resolved.

Hi,

Thanks for your patience here and our apologies for the delay.

As a workaround we changed the CA and now the certificate is Active.

We apologize for the inconvenience.

One more thing, if the expired certificate is not removed, please disable universal SSL, wait a few minutes, enable it again.

If you see issues with the certificate, try changing your SSL setting from Full(strict) to Full

Thank you for taking a look at this. Fortunately this is more of a test domain for me rather one that is mission critical. If there are issues here that require further debugging, I would be happy to help, if there is other diagnostic information that you need to help improve your functions.

Thank you for providing a wonderful service.

You are welcome.
Good to hear that this is not critical.
Sometimes for unknown reasons certificates do not activate and we have to try to find workarounds as the one we tried.
If you ever experience this issue again, please try disabling/enabling universal SSL and if that does not work please raise this issue and we will investigate.