Question

Fix “This Hostname Is Not Covered by a Certificate” on Cl…

Posted on by William Zheng

Have you ever tried to secure your website with Cloudflare, only to be stopped by the message “This hostname is not covered by a certificate”? It can be confusing—and concerning—when your site’s security comes into question.

Understanding this issue is crucial since proper SSL coverage keeps your visitors safe and your site trustworthy.

In this article, we’ll demystify the “hostname not covered” warning, explain why it happens, and guide you through simple steps to solve it, ensuring your website stays protected.

Related Video

What Does “This Hostname Is Not Covered by a Certificate” Mean in Cloudflare?

When managing websites through Cloudflare, you may get an error message saying, “This hostname is not covered by a certificate.” This message might appear when you try to access your site over HTTPS, update DNS records, or troubleshoot SSL/TLS issues. Understanding what this error means and how to fix it is crucial for website security and accessibility.

The Main Explanation

A secure connection (HTTPS) relies on an SSL/TLS certificate that matches your website’s domain, also known as a “hostname” (like www.example.com or blog.example.com). When Cloudflare tells you a hostname isn’t covered by a certificate, it means there’s no valid SSL/TLS certificate applied for that specific domain, subdomain, or DNS record. As a result, browsers may block users from visiting your site securely, which can hurt trust and functionality.

Let’s break down why this might happen and how you can fix it.

Why Does This Error Occur?

There are several common reasons why you might see the “this hostname is not covered by a certificate” error in your Cloudflare-managed site:

  • A new subdomain or domain was added, but not included in Cloudflare’s SSL certificate coverage
  • DNS records are set to ‘DNS only’ instead of ‘Proxied’ in Cloudflare
  • SSL/TLS certificates are still being generated or renewed
  • Cloudflare Universal SSL is not enabled for your account
  • The certificate authority failed to validate the new hostname
  • The server origin SSL certificate doesn’t match the requested hostname

How Does SSL/TLS Work with Hostnames in Cloudflare?

SSL/TLS certificates assure visitors that their connection is encrypted and trustworthy. Here’s how the coverage works:

  1. SSL Certificates Bind Names: Each certificate is issued for one or more specific hostnames.
  2. Wildcard Certificates: Some certificates use wildcards (e.g., *.example.com) to cover any subdomain.
  3. Cloudflare Universal SSL: By default, Cloudflare provides a free “Universal SSL” certificate that covers your root domain and common subdomains.
  4. Custom and Advanced SSL: For more control, users can upload their own certificates or buy Advanced Certificates for broader or specific hostname coverage.

If you add a new subdomain, Cloudflare might not automatically add it to your certificate—leaving it uncovered.

What Happens When a Hostname Isn’t Covered?

If there’s no valid certificate for a hostname:

  • Browsers display security warnings or errors instead of your content.
  • HTTPS connections may fail outright.
  • Visitors lose trust in your site.
  • Search rankings can suffer—Google prioritizes HTTPS.

Step-By-Step: Troubleshooting and Fixing the Error

  1. Check Which Hostnames Are Covered
  2. Log in to your Cloudflare dashboard.

  3. Under “SSL/TLS” > “Edge Certificates,” find the list of hostnames covered by active certificates.

  4. Identify the Uncovered Hostname

  5. Note which subdomain or domain is triggering the error.

  6. Confirm it’s listed in your DNS records and intended to be served over HTTPS.

  7. Review DNS Settings

  8. In your Cloudflare DNS dashboard, ensure the DNS record’s cloud icon is orange (“Proxied”), not gray (“DNS only”).

  9. Only proxied hostnames are covered by Cloudflare’s Universal SSL.

  10. Enable Universal SSL

  11. Go to “SSL/TLS” settings.

  12. Make sure “Universal SSL” is enabled. If not, turn it on and allow a few hours for propagation.

  13. Order or Extend Certificate Coverage

  14. Use the “Advanced Certificate Manager” if you need coverage for additional or wildcard hostnames.

  15. You can purchase this in the Cloudflare dashboard if you require custom coverage.

  16. Wait for Propagation

  17. Sometimes, it takes several hours for new certificates to be issued and deployed across global servers.

  18. Be patient and refresh the certificate status.

  19. Check for Certificate Conflicts

  20. If you installed a custom SSL at your origin server, ensure it includes all necessary hostnames.
  21. Cloudflare will check the certificate presented at the edge, not just at your server.

Benefits of Correct Certificate Coverage

Ensuring every relevant hostname is covered by a certificate offers various advantages:

  • User Trust: Visitors see the browser “Padlock” icon, assuring them the connection is secure.
  • SEO Gains: Search engines reward HTTPS-secured sites.
  • Compliance: Many regulations require encryption for personal data exchanges.
  • Protection Against Attacks: Encrypted data transferred between client and server can’t easily be intercepted.

Common Challenges and Solutions

Multiple Subdomains

  • If you operate many subdomains, manually adding each to a certificate can be tedious.
  • Solution: Use wildcard certificates or Advanced Certificate Manager to ease administration.

Certificate Delay or Pending Status

  • “Pending” or “Authorizing Certificate” statuses can appear while a new certificate is issued.
  • Solution: Wait 24-48 hours; if unresolved, contact Cloudflare support.

DNS Misconfiguration

  • Setting a DNS record to “DNS only” disables Cloudflare’s SSL for that hostname.
  • Solution: Make sure essential records are set to “Proxied.”

Full (Strict) SSL Mode at Cloudflare

  • Using “Full (strict)” mode means your server must also have a valid SSL certificate.
  • Solution: Install an Origin CA or commercial certificate at your web server if needed.

Best Practices for Managing SSL/TLS Certificates in Cloudflare

  • Always review coverage after adding DNS records or subdomains.
  • Use Cloudflare’s “Edge Certificates” dashboard for clarity.
  • Periodically test your site using browser incognito windows or SSL tools.
  • Enable notifications for SSL certificate expiry or renewal tasks.
  • Secure your server with a certificate, even if Cloudflare is proxying traffic.
  • If you need broad coverage or have unusual needs (long hostnames, special characters), consider the paid Advanced Certificate option.

Cost Tips for SSL Certificate Management with Cloudflare

  • Free: Universal SSL covers most use-cases at no cost.
  • Wildcard and Custom Needs: Advanced Certificate Manager is a paid add-on—use it only if necessary for additional hostnames or wildcards.
  • Third-Party Certificates: Compare costs of commercial SSL certificates with Cloudflare coverage before buying elsewhere.

Summary

Receiving the error “this hostname is not covered by a certificate” means your domain, subdomain, or DNS record does not have a valid SSL/TLS certificate via Cloudflare. This exposes users to warnings and discourages them from visiting your site.

Fixing the issue often involves checking DNS record settings, ensuring Cloudflare’s Universal SSL is enabled, and confirming all necessary hostnames are covered. Consider Cloudflare’s advanced solutions if your setup is more complex.

Staying on top of certificate coverage not only protects visitors but also enhances your site’s reputation and ranking.

Frequently Asked Questions (FAQs)

1. How can I check which hostnames are covered by my Cloudflare SSL certificate?
Go to the Cloudflare dashboard, under SSL/TLS settings, and open “Edge Certificates.” Here, you’ll see the list of hostnames included in your current certificate.

2. Why does the “this hostname is not covered by a certificate” error appear right after adding a new subdomain?
When you add a new subdomain, it may take time for Cloudflare to issue and deploy a corresponding SSL certificate. If it’s not proxied or not included in your certificate’s scope, you’ll see the error.

3. What is the difference between the “Proxied” and “DNS only” status in Cloudflare, and why does it matter?
Only “Proxied” (orange cloud) DNS records are routed through Cloudflare’s network and gain the benefits of its SSL/TLS certificates. “DNS only” (gray cloud) records don’t get SSL coverage from Cloudflare.

4. Can I use my own SSL certificate with Cloudflare?
Yes, you can upload your own certificate using Cloudflare’s “Custom Certificates” feature, available on specific plan levels. Alternatively, ensure your server’s certificate is valid if you’re using “Full (strict)” SSL mode.

5. How long does it take for Cloudflare to issue a new certificate covering a hostname?
It typically takes a few minutes to several hours. In rare cases, it can take up to 24-48 hours. If the certificate doesn’t appear after that time, review your DNS and SSL settings, or contact Cloudflare support.

By following the steps and advice above, you’ll ensure your site’s security, reliability, and continued trustworthiness for all users.

Post Views: 9