Start by separating edge from origin
A proxied Cloudflare hostname usually has two TLS relationships: visitor to Cloudflare edge, and Cloudflare to your origin. The public browser sees the edge certificate. Cloudflare sees the origin certificate when it connects upstream. Those certificates can fail for different reasons and require different fixes.
| Path | Who validates it | Common failure |
|---|---|---|
| Visitor to Cloudflare edge | Browser, API client, or external monitor. | Edge certificate inactive, expired custom certificate, missing hostname coverage, or DNS record not proxied. |
| Cloudflare to origin | Cloudflare edge connecting to your server. | Origin certificate expired, not trusted by Cloudflare, hostname mismatch, incomplete chain, or Full (strict) validation failure. |
| Direct visitor to origin | Browser or client bypassing Cloudflare. | Cloudflare Origin CA certificate exposed to browsers or origin certificate missing a public trust chain. |
Use the browser error as a clue, not the whole diagnosis
Cloudflare and browsers surface different error names depending on where the failure appears. Use the error to choose the first check, then verify the served certificate and the Cloudflare configuration before changing SSL modes.
| Browser error or symptom | Likely layer | First check | Cloudflare setting to inspect |
|---|---|---|---|
| ERR_SSL_VERSION_OR_CIPHER_MISMATCH | Edge certificate coverage or TLS settings. | Check the public edge certificate and whether the hostname is proxied. | Universal SSL, Advanced Certificate, Custom Certificate, proxy status. |
| Multi-level subdomain fails | Universal SSL coverage. | Confirm whether the hostname is deeper than one subdomain. | Total TLS, Advanced Certificate, Custom Certificate hostname coverage. |
| Error 526 | Origin validation in Full (strict). | Check origin expiry, hostname match, trust chain, and Cloudflare trust. | SSL/TLS mode, origin certificate, Full (strict) validation. |
| NET::ERR_CERT_AUTHORITY_INVALID after unproxying | Origin certificate exposed to browsers. | Check whether the origin uses a Cloudflare Origin CA certificate. | Origin CA certificate use, DNS-only records, direct origin access. |
| Only some regions or requests fail | Edge propagation, DNS, or backend pool drift. | Check DNS/proxy status, certificate activation, and backend pools. | Load balancing, DNS records, certificate activation status. |
Check the public edge certificate first
If users reach a proxied Cloudflare hostname, start with the public certificate they receive. This verifies the edge certificate, SAN coverage, expiry, issuer, and fingerprint. It does not prove the hidden origin certificate is healthy.
HOST=www.example.com
openssl s_client -connect $HOST:443 -servername $HOST -showcerts </dev/null 2>/dev/null | openssl x509 -noout -issuer -subject -dates -ext subjectAltName -fingerprint -sha256- If the public certificate is wrong, check Cloudflare edge certificate status, custom certificate expiry, DNS proxy status, and hostname coverage.
- If the public certificate is valid but Cloudflare shows an origin error, move to origin validation.
- If the hostname is DNS-only, Cloudflare edge certificates do not protect that direct path.
Then check origin validation honestly
Cloudflare Full (strict) expects the origin to present a certificate Cloudflare can validate for the hostname. Do not fix an origin certificate problem by weakening the mode unless it is a deliberate temporary recovery step with a plan to restore strict validation.
- Confirm the origin certificate is not expired and includes the hostname Cloudflare uses.
- Confirm the origin presents the required intermediate chain.
- If you use Cloudflare Origin CA, remember it is intended for Cloudflare-to-origin traffic, not direct browser trust.
- If users can bypass Cloudflare and hit the origin directly, install a publicly trusted certificate or block direct access appropriately.
- After replacing the origin certificate, retest the public hostname and the direct origin path if you are authorized to do so.
Domain Trust Watch monitors public TLS endpoints. For a proxied Cloudflare hostname, that usually means the edge certificate and public result, not a private origin certificate hidden behind Cloudflare.
Watch for hostname coverage traps
Many Cloudflare certificate issues are not renewal failures. They are coverage problems: a DNS record is not proxied, a custom certificate lacks the hostname, Universal SSL does not cover a multi-level subdomain, or the origin certificate SAN list differs from the public hostname.
- Check apex, www, and every production subdomain separately.
- Treat dev.docs.example.com differently from docs.example.com because wildcard and Universal SSL coverage rules can differ.
- Review SAN changes after renewals and custom certificate uploads.
- Keep an inventory of hostnames that are DNS-only, proxied, or split between providers.
Where Domain Trust Watch fits
Domain Trust Watch is useful for Cloudflare-managed public hostnames because it watches what the public hostname serves over time. It can alert on edge certificate expiry, served-certificate changes, hostname mismatch, and public validation failures. It should not be treated as a private origin scanner unless your origin endpoint is public and intentionally monitored.
- Use the free checker to confirm what the public Cloudflare hostname serves right now.
- Monitor important proxied hostnames for expiry windows and certificate changes.
- Use the troubleshooting guide and event detail to separate public TLS failures from Cloudflare origin configuration work.