Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Error messages

To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate.

​​ Pending domains

If you recently added your domain to Cloudflare - meaning that your zone is in a pending state - you can often ignore this warning.

Once most domains becomes Active, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message.

​​ Active domains

If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate.

By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.

HostnameCovered by Universal certificate?
example.comYes
www.example.comYes
docs.example.comYes
dev.docs.example.comNo
test.dev.api.example.comNo

To prevent insecure connections on a multi-level subdomain, do one of the following:

  • Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
  • Order an Advanced Certificate covering the subdomain.
  • Upload a Custom Certificate covering the subdomain.

If none of these solutions work, you could also remove the multi-level subdomain.