Error messages
To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate.
If you recently added your domain to Cloudflare - meaning that your zone is in a pending state - you can often ignore this warning.
Once most domains becomes Active, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message.
If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate.
By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.
| Hostname | Covered by Universal certificate? |
|---|---|
example.com | Yes |
www.example.com | Yes |
docs.example.com | Yes |
dev.docs.example.com | No |
test.dev.api.example.com | No |
To prevent insecure connections on a multi-level subdomain, do one of the following:
- Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
- Order an Advanced Certificate covering the subdomain.
- Upload a Custom Certificate covering the subdomain.
If none of these solutions work, you could also remove the multi-level subdomain.