Error messages
To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate.
Pending domains
Section titled “Pending domains”If you recently added your domain to Cloudflare - meaning that your zone is in a pending state - you can often ignore this warning.
Once most domains becomes Active, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message.
Active domains
Section titled “Active domains”If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate.
By default, Cloudflare Universal SSL certificates only cover your apex domain and one level of subdomain.
| Hostname | Covered by Universal certificate? |
|---|---|
example.com | Yes |
www.example.com | Yes |
docs.example.com | Yes |
dev.docs.example.com | No |
test.dev.api.example.com | No |
To prevent insecure connections on a multi-level subdomain, do one of the following:
- Enable Total TLS, which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
- Order an Advanced Certificate covering the subdomain.
- Upload a Custom Certificate covering the subdomain.
If none of these solutions work, you could also remove the multi-level subdomain.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark