Universal SSL on Free Account expired

And that is the message that I don’t understand, after is this free or not free?

So I suppose there will be no solution for this situation then?

It feels like there is a bug, for some reason some certificates are just getting boggled when renewing (as I see other people apparently with the same problem…) , and Cloudflare is not very interested in giving support to non-paying users.

Then it looks the only solution is to delete the website and recreate again?

Does anyone know how long I would need to wait until the whole configuration is clean from Cloudflare servers so I can create it all over again without conflicts? Because right now, even with the whole SSL configuration undone / disabled, Cloudflare is still enforcing broken SSL configuration which is pretty much bananas.

Any advice?

I’ve added this issue to the community escalation queue for a support engineer to review. I have checked several common issues and can’t see why this isn’t working for you.

If you want to try something else, you could force the CA to Let’s Encrypt in case it’s just an issue with Digicert.

It can be done like this:

hi @domjh could you elaborate a bit more on this solution?

What does that entail? This will only change the certificate on the Cloudflare side and Cloudflare supposedly will try to emit another cert or I will need to emit a lets encrypt , change my whole config including the CA on Cloudflare?

Im not sure what this means… for me it sounds like the same as disabling all the Cloudflare SSL system and using a LE on my own on the server.

Cloudflare uses several different CAs to issue Edge Certificates, this forces them to try and issue one with a specific CA in case one is failing for some reason. It shouldn’t be required but we have seen it work several times before here. If it’s currently trying to issue a Digicert certificate, for example, and that fails then you can make it try a Lets Encrypt one.

This doesn’t require you to change any certificate on your server, the one there can be from any CA, it’s also not the same as pausing Cloudflare and using your server certificate. The certificate will still be served from Cloudflare’s edge, it would just be a cert from a different CA.

Ok, I’ve tried and there are absolutely no changes.

The expired certificate still stuck in “error state”

I will wait until the end of this week, if no solutions come from Cloudflare I will delete the website completely and try again.

And I will start to think in removing this functionality from all of my sites, because this has been no fun… I am offline for almost 3 weeks now… and there is nothing I can do on the Cloudflare side, so better not to depend on them.

Hello! I am having the same issue than you, I could find this topic in the forum that explains that can be happening:

User ceo2 says that this what Cloudflare support told him:

"The certificate did not renew because the previously the certificate CA was Digicert,
however Cloudflare is migrating out from Digicert, hence the cert did not renew.

Apologies for the inconvenience caused, you should not be seeing the same issue again for the same domain."

This user have paid account so he could send a ticket but we can not. I am going to create a new topic in forum to try that Cloudflare support team fix my certificate too. Goog luck!.


Since you are under a free account, let me suggest that you create a ticket under “billing” and explain the issues you are experiencing.

You will get a generic reply message from their bot.

Reply to the bot message and write : I need further assistance.

Wait at least 10 hours and let us know if tech support contacted you back.

It’s giving an “or” option. Maybe you can use get a free universal ssl through letsencrypt using certbot. You can get them for free. Does Cloudflare have email support on the free accounts or is it all community support?

Here’s a tutorial that shows you how to use letsencrypt to get a universal SSL using a DNS challenge. If you’re not self hosting, it might be even easier because you could just use port 80, but this should work to get you a valid certificate you can provide to Cloudflare to secure your site.

Hi @ceo2 I looked into the billing page, I could not find a place where I can send anything to Support, there are no link to create tickets or anything like that.

If you see something that I don’t, would you be so kind to provide a screenshot to show where this is possible?

This issue is being looked at as we speak, there’s no need to create a ticket to a different team. That will just slow the support process for everyone.

Hi @domjh so now, after a couple of days that I have changed the CA, the problem still persists and the expired certificate still stuck.

Right now I just tried to delete the domain from Cloudflare and after a couple of minutes I added him again, and then, surprise surprise… the certificate is still there, stuck in error.

Hence my question again, do we know how long it takes for Cloudflare to clean up these configurations? is it 24 hours? 48 hours?

You said earlier that you have added this problem to the “community escalation” so someone can review… is that any feedback on that?

I’m kinda running out of options here.

I already realise that if I add Let’s Encrypt on the website side and let Cloudflare forward HTTPS connection will also not work because the configurations for SSL on Cloudflare side are broken and enforcing things that I cannot disable.

So there are only two solutions possible, as I see it now…

  1. disable all the proxy from Cloudflare and send it directly to the website in HTTPS (which is almost the same as not using Cloudflare)
  2. remove the website completely from Cloudflare including Nameservers

So the part I am afraid is that this will repeat itself in other websites that have more complex configurations, this one is very simple so I can do without Cloudflare, but others would be a major loss.

This has been a real eye opener so far :confused:

Nah, you replied while I was writing…

Right! let’s wait.

Hello @spectroman , Chris.C from Cloudflare TSE here.

Please can you create a ticket and reference it here, it will allow me to access further into your account. (I also in the interim applied the CA change over to Let’s Encrypt, however seeing it only partially populate & suspect it may be because you currently have Universal certs disabled ? - if you can also verify this in the interim i.e. enable if not enabled, then recreated the dns to see if it populates a new LE cert.

Standing by. (awaiting your ticket ref)

Hi Chris,

After so many tries of different ideas the SSL was indeed disabled.

Now that I’ve enabled it, I can see there was a change on the certificate and after a few moments, after the DNS TXT challenge was created, the new certificate was emitted and the problem was solved.

The Website is available again with HTTPS.

Now, if we see this again, how will we be able to solve it without a Cloudflare engineer intervention?

Thanks for getting back so quickly and confirming the matter is now resolved.

In short this shouldn’t happen again as you are now using Let’s Encrypt CA. (on TXT validation, and Cloudflare will auto renew on Proxied DNS going forward)

As per why this issue surfaced:

There were a combination of factors regarding Digicert having recently changed DCV policy (like may other CA providers) whereby DCV HTTP method can no longer be used for wildcard certs. (since Oct 2021 - Changes to HTTP DCV · Cloudflare SSL/TLS docs - although indeed this was seen as only applicable to Adv or Saas services, so why proxied Universals? )
We are in the process of deprecating Digicert from our CA providers list.

So as Digicerts lasts for a year before requiring renewal, you appear to had your last successful renewal still using DCV HTTP method as got in before the policy change.

I am in the process of gathering together the details of communications & reference articles which would’ve/should’ve been sent out to affected customers on how this was going to be managed. (i.e. API Patch to change DCV method etc)

As per why/how such API patches to change DCV method &/or CA provider did not succeed on your own attempts is another matter at this stage to be reviewed. (And can work with you further on a ticket on your account on this point if you wish to follow up on)

1 Like

Humm, I see the documentation provided and it does not explain the problem on “Universal SSL”, I can see how this could have easily fall into a crack and made the problem unbeknown to regular operation… maybe the systems hit something unexpected due to the type of CA…

Nonetheless it is possible to see that other people are hitting a similar (if not the same) problem.

It seems that, in order to avoid similar situations it is a better idea to change the CA certificate to Let’s Encrypt before the expiration time of the old CA Certificate in order to avoid any absconded confusion as we’ve seen here.

As I cannot open a ticket on my account, I guess I will just go ahead and change the CA in all other websites I have and if you want to have access to my account you can probably see my email and send me information on how we can proceed with an investigation if you wish.

Thank you for the resolution there, but I hope there is a easy way out for other people who may be facing the same problem, without the need for an engineer to get involved.

You dont need to log into the dashboard to create a ticket, you can send an email to [email protected] (as long as its from your accounts email address).

Granted you may receive an auto-response initially, but I can attach onto the email and reply directly to you if needed.

And indeed, overall all cases on the community are being identified and the necessary internal escalation to our team will be raised accordingly.

Thank you for persisting with your reported matter.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.