Introduction

A domain cutover can put traffic behind Cloudflare while Universal SSL still does not issue for the hostname. DNS may appear mostly correct and the zone may already receive requests, but the edge certificate stays pending, missing, or inactive because one requirement for certificate issuance was never fully met during the move.

Treat this as an edge-certificate readiness problem instead of an origin SSL problem. Start by checking whether the hostname is active in the correct Cloudflare zone and actually eligible for Universal SSL, because certificate issuance at the edge depends on zone status, proxy state, and hostname activation rather than only on the origin server.

Symptoms

  • Cloudflare Universal SSL does not issue after domain cutover
  • HTTPS requests show certificate errors or fallback certificate behavior at the Cloudflare edge
  • The hostname resolves through Cloudflare, but the edge certificate remains pending or unavailable
  • HTTP may work while HTTPS fails or shows the wrong certificate state
  • One hostname issues correctly while another newly moved hostname does not
  • The issue started after nameserver change, DNS cutover, or attaching the domain to Cloudflare

Common Causes

  • The hostname is not fully active in the intended Cloudflare zone
  • The record exists, but it is DNS-only instead of proxied where Universal SSL is expected to apply
  • Nameserver delegation changed, but Cloudflare has not fully recognized the zone as active
  • The hostname was added in the wrong account, wrong zone, or incomplete environment during cutover
  • Certificate issuance eligibility is blocked by partial setup or conflicting hostname state
  • Validation focused on origin reachability instead of Cloudflare edge certificate readiness

Step-by-Step Fix

  1. Check the exact hostname that still lacks a valid edge certificate, because Universal SSL issuance is evaluated per active hostname rather than by your migration intent.
  2. Confirm the domain is active in the correct Cloudflare account and zone, because a zone that is still pending or attached in the wrong place will not complete normal edge certificate issuance.
  3. Review the DNS record for the affected hostname and verify whether it is proxied when Cloudflare is expected to serve HTTPS, because DNS-only records do not use Cloudflare edge certificates the same way proxied records do.
  4. Confirm the hostname is actually receiving traffic through the intended Cloudflare zone after cutover, because an inactive or partially delegated hostname can leave certificate issuance stalled.
  5. Compare the failing hostname with another working hostname in the same zone if one exists, because differences in proxy state, record type, or attachment often reveal the real issuance blocker.
  6. Remove any mistaken duplicate setup, wrong-zone attachment, or partial cutover state at the actual control point, because certificate issuance will not normalize while the hostname identity is split across configurations.
  7. Recheck the edge certificate status after the hostname and zone state are correct, because Universal SSL depends on Cloudflare seeing a clean, active, eligible hostname configuration.
  8. Retest the live hostname over HTTPS and verify the served certificate now matches the intended Cloudflare-managed edge path, because the real fix is trusted browser access without edge certificate warnings.
  9. Document which hostnames must be proxied and zone-active for Universal SSL after future cutovers, because edge certificate setup is easy to miss during DNS migrations.