SSL & HTTPS Guides

Using a CDN with HTTPS

Learn how HTTPS works with a CDN, how edge and origin certificates differ, and how to avoid SSL errors, redirect loops and mixed content.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

When a CDN is placed in front of a website, visitors connect to the CDN edge first, not directly to the origin hosting server. This means HTTPS may exist in two places: between the visitor and the CDN, and between the CDN and the origin server.

A correct CDN HTTPS setup needs a valid edge certificate for the public hostname, a safe connection from the CDN to the origin, clean redirects and consistent hostname handling. If these layers are misconfigured, users may see SSL warnings, redirect loops, mixed content errors or intermittent HTTPS failures.

Quick answer

Quick answer

With a CDN, check both the public edge certificate and the origin connection. The CDN must serve a valid certificate for your domain, the origin should also support HTTPS, and redirect rules should not conflict between CDN, server and application. Test the public hostname, not only the origin server.

CDN HTTPS

A CDN or reverse proxy sits between visitors and the origin server.

Typical HTTPS flow
Visitor browser
 CDN edge
 origin hosting server

There can be two TLS connections:

  1. Browser to CDN — the visitor sees the CDN’s edge certificate.
  2. CDN to origin — the CDN connects to your hosting server or origin application.

The certificate visitors see may be different from the certificate installed on the origin server.

Edge vs origin certificate

Edge certificate

  • Where it is used: Between visitor and CDN.
  • Who sees it: Browsers and public users.
  • Must cover: Public hostname, such as example.com or www.example.com.
  • Managed by: CDN or certificate provider.

Origin certificate

  • Where it is used: Between CDN and origin server.
  • Who sees it: The CDN, not normal visitors.
  • Must cover: Origin hostname or expected SNI hostname.
  • Managed by: Hosting provider, server admin, CDN or certificate authority.

If the edge certificate is valid but the origin connection is broken, the CDN may show 525, 526, 502 or similar HTTPS-related errors depending on provider.

CDN SSL modes

Many CDNs offer different SSL modes. Names vary by provider, but the idea is similar.

Off

No HTTPS at the CDN. Not recommended for public websites.

Flexible

Visitor uses HTTPS to CDN, but CDN may connect to origin over HTTP. Can cause redirect loops and weaker origin security.

Full

Visitor uses HTTPS to CDN, and CDN uses HTTPS to origin. Origin certificate may not always be fully validated depending on provider.

Full strict / verified

Visitor uses HTTPS to CDN, and CDN validates the origin certificate. Usually the safest production option.

Use provider-specific names and documentation, but prefer an end-to-end HTTPS setup where possible.

DNS and proxy status

When a CDN is active, DNS often points to the CDN instead of directly to the origin server.

  • Root and www records point to CDN as intended
  • Proxy status is enabled or disabled intentionally
  • Origin IP is correct
  • CDN hostname is configured
  • Custom hostname is verified
  • Edge certificate is issued
  • DNS changes have propagated

If DNS bypasses the CDN, visitors may see the origin server certificate instead of the CDN certificate.

Why this matters

Why this matters

CDN HTTPS matters because SSL can fail at more than one layer. The public CDN edge may be correct while the origin certificate is expired, or the origin may be correct while the CDN edge certificate is missing. Redirect rules can also conflict between CDN, origin server and application.

A CDN improves performance and protection only when HTTPS, caching and redirects are configured consistently.

How to check CDN HTTPS

Use SSL Checker and Website Status Checker to test the public hostname exactly as visitors see it.

When checking CDN HTTPS, review

These seven checks help confirm CDN HTTPS is configured correctly.

Public certificate

Confirm the CDN edge certificate is valid for the hostname.

Origin certificate

Confirm the origin server has a valid certificate if the CDN connects over HTTPS.

SSL mode

Check whether CDN-to-origin HTTPS validation is strict or relaxed.

Redirect rules

Look for conflicts between CDN redirects, server redirects and application redirects.

Root and www

Confirm both hostnames are covered and redirect consistently.

Mixed content

Check whether HTTPS pages load HTTP assets.

CDN cache

Confirm old redirects or old certificates are not cached.

Check CDN HTTPS

Use SSL Checker and Website Status Checker to verify the public certificate, redirects and final HTTPS response.

Run SSL Check →

Common problems

Edge certificate missing

High

The CDN does not have a valid certificate for the public hostname.

Next step: Issue or activate the CDN edge certificate for the domain.

Origin certificate expired

High

The CDN connects to an origin server with an expired certificate.

Next step: Renew the origin certificate or update CDN origin SSL settings.

Hostname mismatch at CDN edge

High

The CDN edge certificate does not cover the requested hostname.

Next step: Add the hostname to the CDN certificate or correct DNS/proxy configuration.

Hostname mismatch at origin

Medium

The CDN connects to an origin hostname not covered by the origin certificate.

Next step: Install a certificate covering the origin hostname or adjust SNI/origin settings.

Flexible SSL causes redirect loop

High

The CDN connects to origin over HTTP while the origin forces HTTPS.

Next step: Use full end-to-end HTTPS and remove conflicting redirect rules.

CDN and origin redirects conflict

High

Both CDN and origin rewrite URLs differently, causing loops or chains.

Next step: Choose one redirect strategy and simplify rules.

CAA blocks CDN certificate issuance

Medium

CAA records do not allow the certificate authority used by the CDN.

Next step: Update CAA records to allow the CDN’s certificate authority.

DNS bypasses CDN

Medium

Some hostnames point directly to origin while others use CDN.

Next step: Align DNS records and proxy status intentionally.

Mixed content after CDN HTTPS

Medium

The page loads over HTTPS but assets still use HTTP.

Next step: Update asset URLs, CMS settings and CDN rewrite rules.

How to configure safely

  1. Step 1: Confirm the intended hostname

    Decide whether the site uses root, www or both.

  2. Step 2: Check DNS and CDN routing

    Confirm traffic for the public hostname goes through the CDN if intended.

  3. Step 3: Issue the edge certificate

    Activate or issue the CDN certificate for root, www and required subdomains.

  4. Step 4: Secure the origin

    Install a valid certificate on the origin server if CDN-to-origin HTTPS is used.

  5. Step 5: Choose the correct SSL mode

    Prefer end-to-end HTTPS with origin certificate validation where possible.

  6. Step 6: Simplify redirects

    Avoid conflicting HTTPS redirects in CDN, server and application.

  7. Step 7: Fix application URLs

    Update WordPress/CMS URLs, canonical tags, sitemaps and asset URLs to HTTPS.

  8. Step 8: Purge CDN cache

    Clear cached redirects, old headers and outdated content after changes.

  9. Step 9: Test externally

    Check the public hostname from outside the server.

Common CDN mistakes

Provider names and settings vary, but common CDN mistakes include:

  • Using flexible SSL while the origin forces HTTPS
  • Forgetting to issue an edge certificate
  • Origin certificate expired
  • Wrong SSL mode
  • Orange-cloud or proxy status inconsistent
  • Origin IP changed after migration
  • Root and www configured differently
  • Page rules redirecting to the wrong hostname
  • WordPress still thinks the site is HTTP
  • Old redirects cached at edge

The exact setting names depend on the CDN, but the troubleshooting logic is the same.

WordPress and CDN HTTPS

WordPress can create redirect loops or mixed content if it does not detect HTTPS correctly behind a CDN or proxy.

  • WordPress Address URL
  • Site Address URL
  • HTTPS detection behind proxy
  • Cache plugin CDN settings
  • Mixed content replacement
  • Canonical tags
  • Sitemap URLs
  • Security plugin redirect rules
  • Server-level redirects
  • CDN page rules

If WordPress thinks the request is HTTP while the visitor uses HTTPS at the CDN edge, redirect loops can happen.

Check examples

Check public HTTPS
curl -I https://example.com
Check HTTP redirect
curl -I http://example.com
Check certificate served publicly
openssl s_client -connect example.com:443 -servername example.com
Check DNS
dig example.com A
dig www.example.com CNAME
Check CAA
dig example.com CAA
Expected good flow
Browser  HTTPS  CDN edge  HTTPS  origin server
Problem flow
Browser  HTTPS  CDN edge  HTTP  origin forcing HTTPS  redirect loop

These examples are illustrative. Replace example.com with your real domain and check your CDN provider’s exact settings.

CDN HTTPS checklist

Confirm the following for a consistent CDN HTTPS setup.

  • CDN is active for intended hostnames
  • Edge certificate covers root, www and subdomains
  • Origin certificate is valid
  • SSL mode is correct
  • CAA allows CDN certificate issuance
  • HTTP redirects are not duplicated
  • Root and www behave consistently
  • WordPress or CMS URLs use HTTPS
  • Mixed content is fixed
  • CDN cache was purged after changes
  • Public SSL check passes
  • Website status check returns final 200

Frequently asked questions

Do I need SSL on the origin server if I use a CDN?

For a proper end-to-end HTTPS setup, yes. The CDN edge and the origin connection should both be secured.

Why does SSL work at the origin but not through the CDN?

The CDN edge certificate may be missing, not issued, or not covering the public hostname.

Why does SSL work at the CDN but origin shows errors?

The origin certificate may be expired, mismatched or not trusted by the CDN.

What causes CDN HTTPS redirect loops?

Common causes include flexible SSL, conflicting CDN/origin redirects or applications that do not detect HTTPS behind a proxy.

Can CAA records block CDN SSL?

Yes. If CAA does not allow the CA used by the CDN, edge certificate issuance can fail.

Why do users see a different certificate than my server has?

Visitors see the CDN edge certificate, not necessarily the origin server certificate.

Should redirects be configured at CDN or origin?

Either can work, but avoid conflicting rules. Use one clear redirect strategy.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.