Cloudflare Docs
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Error messages

To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate.

​​ Pending domains

If you recently added your domain to Cloudflare - meaning that your zone is in a pending state - you can often ignore this warning.

Once most domains becomes Active, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message.

​​ Active domains

If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate.

By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.

HostnameCovered by Universal certificate?

To prevent insecure connections on a multi-level subdomain, do one of the following:

  • Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
  • Order an Advanced Certificate covering the subdomain.
  • Upload a Custom Certificate covering the subdomain.

If none of these solutions work, you could also remove the multi-level subdomain.