There are a handful of reasons why SSL may not be working for your site on CloudFlare:

You don't have CloudFlare's proxy enabled for the domain

CloudFlare's SSL support is only for the DNS hostnames going through CloudFlare's proxy. On the CloudFlare DNS Settings page, an orange cloud indicates that the proxy is enabled while a grey cloud indicates that requests to this record will go directly to the origin server. CloudFlare's SSL certificates are only available on orange-clouded records.

Your CloudFlare SSL setting is set to Full SSL or Full SSL Strict, but you don't have a SSL certificate on your server or port 443 is closed

CloudFlare offers three SSL settings - Flexible, Full SSL, and Full SSL Strict. If you don't have a SSL certificate on your server, then you need to choose the Flexible SSL option. Other choices will not work without a SSL certificate on your server and a CloudFlare 521 error will be shown indicating that we cannot connect to the server if these options are used. If you have a self-signed certificate on your server, Full SSL Strict will not work and, if chosen, will result in a 526 error.

You're accessing a subdomain not covered by the CloudFlare-issued SSL certificate

CloudFlare-issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com). If you're attempting to access a second level of subdomains (eg- *.*.example.com) through CloudFlare using the CloudFlare-issued certificate, a privacy warning will be seen in the browser as these host names have not been added to the SAN.

The CloudFlare-issued SSL certificate is not yet active for your domain

If you have recently signed up for CloudFlare, the CloudFlare-issued SSL certificate may not yet be issued and active on our network. Please allow up to 15 minutes for this certificate to be issued by one of our partner Certificate Authorities (CA). A privacy warning will be shown in a browser before the certificate is issued.

If more than 15 minutes have passed since activating the domain on CloudFlare and a privacy warning is still seen in a browser, please read over the following possibilities to ensure that our CAs can verify the domain and issue the certificate.

  1. SSL at the Free Level of Service
    If your domain is active at the free level of service and uses Universal SSL, the CA used to verify the domain by querying a CNAME record automatically added by CloudFlare. Please ensure that the domain is pointed to CloudFlare's name servers assigned to the domain at the registrar. This allows the CA to query the record in place.

    If the previous condition is met and the privacy warning is still seen, please contact support.

  2. SSL at a Paid Level of Service
    If your domain is active at one of our paid levels of service (Pro, Business, or Enterprise), the CA used will verify the domain using a <meta> tag. Please ensure that one of the following options is configured so that the domain is able to be verified.

    • Have CloudFlare enabled on the root-level domain or www subdomain. This allows CloudFlare to automatically add the <meta> tag needed for varification. The CA will then be able to verify the domain.

    • Manually add the <meta> tag to the index file of the root-level domain or the www subdomain. This<meta> tag will need to be added immediately after the <head> tag in the HTML for the index. The index must also be accessible over HTTP for the CA to complete verification. You will need to contact support to obtain the unique <meta> tag needed. 

      As a note, if you force a HTTP to HTTPS redirect for your domain, you'll need to temporarily disable this redirect or setup a separate redirect to a unique page for the CA to access over HTTP and verify the domain. Please contact support for further instructions regarding this redirect.

    If one of the above methods is implemented and the certificate still has not yet been issued, please contact support.

  3. Domains activated with a CNAME setup
    Domains activated with a CNAME setup or through a hosting provider may need to complete additional steps in order to verify their CloudFlare-issued SSL certificate if the www subdomain is not yet delegated to CloudFlare. Please contact support if this applies to your domain.