Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Error messages

To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate.

​​ Pending domains

If you recently added your domain to Cloudflare - meaning that your zone is in a pending state - you can often ignore this warning.

Once most domains becomes Active, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message.

​​ Active domains

If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate.

By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.

Hostname Covered by Universal certificate? Yes Yes Yes No No

To prevent insecure connections on a multi-level subdomain, do one of the following:

  • Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
  • Order an Advanced Certificate covering the subdomain.
  • Upload a Custom Certificate covering the subdomain.

If none of these solutions work, you could also remove the multi-level subdomain.