Fix: SSL Certificate Issues on CDN-Fronted Domains
When your site is behind Cloudflare or another CDN, visitors see the CDN's certificate. Your origin server has its own certificate. Both can expire independently — and most monitoring tools only check the CDN cert.
Check origin cert directly
# Check what CDN serves to visitors: openssl s_client -connect yourdomain.com:443 2>/dev/null | $ openssl x509 -noout -dates # Check origin cert directly (bypass CDN): openssl s_client -connect YOUR_SERVER_IP:443 $ -servername yourdomain.com 2>/dev/null | $ openssl x509 -noout -dates
The ConfigClarity SSL Checker flags CDN-fronted domains in orange — the cert is managed by the CDN and may have different renewal behaviour than origin certs.
Check CDN and origin certs for your domains in the SSL Checker.
Open Tool →