Cloudflare with SSL FAQs

Overview

This article goes over a few details as to how SSL certificates are implemented with Cloudflare.

If any of the following limitations are not acceptable to you, then the only option is to disable Cloudflare on the domain.

How long will it take to set up?

When setting up SSL or Secure Hosting, you may need to wait sometime for DNS changes to propagate.

  • This can sometimes take up to several hours.
  • Additionally, you may need to wait up to 24 hours for Cloudflare to set up your certificate.

Until the setup completes, you may be unable to connect to your site over HTTPS, or you may receive invalid certificate warnings.

What certificate will visitors to my site see?

Visitors to your site will only ever see the certificate that Cloudflare creates.

The certificate you set up in the DreamHost panel will NOT be visible to your site visitors if the site is using Cloudflare. Cloudflare always uses a "professional" certificate, but you will not have any control over this certificate.

Visitors will see a certificate if they check the info on your site's certificate (regardless of what kind of certificate you have set up in the DreamHost panel). You can view the site's certificate in your browser (e.g., Chrome or Firefox) by clicking the icon that appears in the URL bar.

How long will it take for the certificate to set up?

It may take up to 24 hours for the certificate to be fully set up.

Until Cloudflare finishes setting up the certificate for your site, you will see SSL warnings when visiting your site using HTTPS. Once the certificate is set up (which should be within 24 hours), the warnings should go away.

What about second-level subdomains and SSL warnings?

Second-level subdomains do not work with the FREE option.

This means that if you try to set up SSL and Cloudflare for www.myblog.example.com, you may see warnings like "Connection Not Encrypted" when visiting the page.

These warning won't appear on first-level subdomains like myblog.example.com or www.example.com.

Why is my site displaying an SSL cipher error?

If you have a valid Secure Certificate on your website, double-check the SSL/TLS tab in your Cloudflare account and ensure you have Full (Strict) selected. For more information about Cloudflare's SSL settings, review the following article:

What happens if I don't enable Cloudflare on the main domain?

You will receive warnings if Cloudflare is not enabled on the main domain.

If you want SSL to work on any of your subdomains with Cloudflare, you will need to have your main domain also enabled on Cloudflare. This is a limitation imposed by the SSL Certificate provider; without the main domain being on Cloudflare, the certificate will not be valid for the subdomains.

For example, if you want to have SSL enabled on blog.example.com and use Cloudflare, then you must also enable Cloudflare on example.com.

After Cloudflare is enabled on the main domain (example.com) and subdomain (blog.example.com), both will show a valid SSL secure lock.

Can I use Cloudflare’s Universal SSL option?

Yes. All new domains that choose to use Cloudflare's basic plan will have Universal SSL available. Please note that this is NOT recommended since the Universal SSL certificate does not fully protect your site traffic. View Cloudflare's blog post for further details.

It is also now possible to use a TLS/SSL certificate, such as Let's Encrypt, with the basic Cloudflare plan. For further information, please visit Cloudflare’s support page:

Troubleshooting

After enabling SSL and Cloudflare and visiting the HTTPS version of your site, you may notice a 526 Cloudflare error. It will say this:

Website is offline. Error 526. Invalid SSL certificate

This is an issue you must correct within your Cloudflare account.

View the following article:

In that article, scroll down to the section titled SSL options in the Cloudflare panel. Follow those directions to log into your Cloudflare panel. You must then set the SSL option to FLEXIBLE.

After changing this option in Cloudflare, your site should immediately resolve using HTTPS.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?