247Monitor

Check the origin certificate behind Cloudflare

When your site sits behind Cloudflare — or any reverse proxy or CDN — an SSL monitor inspects the proxy's edge certificate, not the one on your own server. Here's how to point the check at your origin so it watches the certificate that can actually catch you out.

4 min read

Cloudflare terminates TLS at its edge and auto-renews that certificate for you. The certificate on your origin server is the one nobody renews automatically — and it's invisible to a normal SSL check. The Origin host / IP field fixes that.

Why a normal SSL check sees the wrong certificate

When a domain is proxied through Cloudflare (the orange cloud), its DNS resolves to Cloudflare's IP addresses. An SSL check connects to one of those addresses and reads the certificate Cloudflare presents at its edge — a certificate Cloudflare issues and rotates on a rolling basis. So the expiry date you see belongs to Cloudflare, not to your server.

Your origin server has its own, separate certificate. Depending on your Cloudflare SSL mode (Full or Full (strict)), an expired or invalid origin certificate can break the connection between Cloudflare and your server — an outage a normal SSL check would never warn you about, because it only ever saw the healthy edge certificate.

Point the check at your origin

  1. 1

    Find your origin host or IP

    This is the address of the server that actually holds your certificate: a hosting IP such as 203.0.113.5, an unproxied subdomain like origin.example.com, or a load balancer hostname. Cloudflare users often keep a grey-cloud (unproxied) DNS record pointing straight at the origin for exactly this purpose.

  2. 2

    Open the SSL monitor

    In the dashboard, create a new SSL monitor — or open an existing one and click Edit — then scroll to the SSL settings.

  3. 3

    Keep your domain in the URL

    Leave the monitor's URL as your public domain (e.g. https://example.com). That hostname is sent as the SNI, so your origin presents the right certificate and we validate it against the right name. Don't put the IP in the URL — only in the origin field below.

  4. 4

    Set Origin host / IP

    In the SSL settings, paste your origin address into Origin host / IP (optional). The check now connects there directly instead of to Cloudflare's edge.

  5. 5

    Save and confirm

    Save the monitor. The next result reports your origin certificate — issuer, expiry and days remaining — so you get weeks of warning before it lapses instead of a midnight surprise.

What changes when you set an origin host

With the field blank, the check connects to your URL's host with full certificate-chain verification — the right behaviour for a public, edge certificate.

With an origin host set, the check connects to that address but still sends your domain as the SNI/hostname, then reads the certificate the origin presents and tracks its expiry. Chain-trust enforcement is relaxed, so even a private origin certificate — such as a Cloudflare Origin CA certificate that isn't publicly trusted — is still read for its expiry date.

NoteAlways leave your real domain in the URL. That's the name we use for SNI and for matching the certificate — only the connection address changes.
TipThis isn't Cloudflare-specific. Any reverse proxy, CDN or load balancer that terminates TLS — Fastly, Akamai, an nginx in front of your app — hides the certificate behind it. Point the origin host at whichever server you actually want to watch.
Heads upThe origin has to accept the connection from our checking locations. If it only allows Cloudflare's IP ranges, or enforces Authenticated Origin Pulls (mTLS), a direct check can't complete the handshake — allow our regions to reach it, or point at a host that will answer.

Where to find your origin address

Good sources are the IP your hosting panel shows for the server, an origin. or direct. subdomain you keep grey-clouded in DNS, or your load balancer's hostname. Avoid anything that resolves back through the proxy — that just lands you on the edge certificate again. Once it's set, pair this with an SSL expiry alert so a renewal you forgot can never take the site down.

No credit card · 25 monitors free · 2-minute setup

Start monitoring in minutes.

Free forever for 25 monitors and a server. Add your first check, pick your alert channels, and you're live before your coffee's cold.