Consider the following common issues and troubleshooting steps when using Cloudflare origin CA.

Cause

Site visitors may see untrusted certificate errors if you pause Cloudflare or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.

This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid.

Solutions

Make sure the proxy status of your DNS records and any page rules (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes.

If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a certificate authority (CA) of your choice. You can still use Full (strict) encryption mode, as long as the CA is listed on the Cloudflare trust store ↗ .

The issuer of this certificate could not be found

Cause

Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain.

Solution

Use the following links to download either an ECC or an RSA version and upload to your origin web server:

The certificate is not trusted in all web browsers

Cause

Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain.

Solution

Use the following link to download an RSA version of the root certificate and upload it to your origin web server: