Skip to content
Start free
Custom domain · updated 2026-05-02

Troubleshoot SSL issues

SSL doesn't work — three most common causes and fixes.

Troubleshoot SSL on a custom domain

If https://qr.youragency.com/ shows a browser SSL error, it's almost always one of three things.

1. Cloudflare proxy off

Most common. In Cloudflare → DNS → your CNAME row, the cloud icon must be orange (proxied). Grey-cloud means CF only does DNS resolution; no SSL is issued. Toggle to orange.

2. Cloudflare SSL/TLS mode set to "Flexible"

Cloudflare's "Flexible" mode talks HTTP between Cloudflare and our origin — but our origin is HTTPS-only, which causes a redirect loop and SSL errors.

Fix: Cloudflare → SSL/TLS → set encryption mode to "Full" (acceptable) or "Full (strict)" (best, recommended).

3. Universal SSL hasn't issued yet

Cloudflare's free Universal SSL provisions automatically once you enable proxy, but it can take up to 15 minutes. Symptoms: browser shows ERR_SSL_PROTOCOL_ERROR or "Your connection is not private" with the certificate showing as "Cloudflare default".

Fix: wait 15 minutes; if still broken at 30 minutes, in Cloudflare → SSL/TLS → Edge Certificates → confirm Universal SSL is "Active" not "Pending Validation". If "Pending Validation", remove the domain from Cloudflare and re-add — sometimes triggers a fresh issuance.

Edge cases

"Self-signed certificate" or origin SSL error

Means our origin certificate isn't trusted at Cloudflare's edge. Highly unusual — email support@qrnfctap.com immediately.

Custom certificate (Cloudflare Pro/Business plan)

If you've uploaded a custom certificate to Cloudflare, ensure the SAN includes your subdomain. We don't manage your custom-cert lifecycle.

Non-Cloudflare DNS

If you're using Route 53, Google Cloud DNS, or another provider without a Cloudflare-style proxy: SSL provisioning is on you. QR NFC Tap's origin serves with our *.qrnfctap.com certificate, which won't validate for your.domain.com. You'll need to put Cloudflare (or another reverse proxy with SNI termination) in front. We're working on Let's Encrypt origin certs for non-CF customers in a future update.

Still stuck?

Email support@qrnfctap.com with:

  • Your custom domain hostname
  • Your DNS provider
  • The exact error message from your browser
  • A screenshot of your CF SSL/TLS settings if applicable
Was this helpful?
Related in Custom domain
← All Custom domain articles Contact support →
Start free Shop cards