With Advanced Certificates, my www subdomain reports back the advanced certificate, but my root domain reports back a different one

Some background for my issue: I’m working to disable weak cipher suites and to disable TLS 1.0 and TLS 1.2 for compliance reasons.

I’m using sslscan (also verified the same behavior using nmap with ssl-enum-ciphers) to test my setup. When I hit the www version of our site with sslscan, it comes back exactly as expected (i.e. TLS 1.2 and TLS 1.3 are enabled, only five ciphers); however, when I hit the root domain of our site with sslscan, it comes back with TLSv1.0 through TLSv1.3 enabled and far more ciphers enabled.

The advanced cert is configured with hostnames of both the www of our domain name as well as the root one (e.g. www.example.com and example.com).

Some other notes, the www scan reports back the correct Advanced Certificate cert (verified by checking the expiration date); however, the root domain check reports back a GTS CA cert (which I believe is the backup certificate?). I can’t verify that as I’m not seeing the backup certificate anywhere in my setup.

The steps I’ve taken thus far are:

  • Set up Advanced Certificates (so that I can disable weak ciphers)
  • Set Minimum TLS version to 1.2
  • Used the API to set the allowed ciphers (based on steps at https://developers.cloudflare.com/ssl/edge-certificates/disable-weak-cipher-suites/#setup) (at the zone level)

When I make an API call to Cloudflare to get the ciphers, this is the list comes back:


I’m not having much luck narrowing down why my configuration isn’t applying to the root domain. Any help would be appreciated!

What is the domain?


Is your main domain maybe activate in another Cloudflare account via a custom hostname?

As you can see in the following documentation, a Custom Hostname Certificate (Cloudflare for SaaS) would take precedence over Universal and Advanced Certificates.

I had looked into the priority for the certificates, so that’s a good thought, but we’re only on the Basic plan overall along with the Advanced Certificate plan, so no additional Cloudflare for SaaS service.