Using a CDN with HTTPS
Learn how HTTPS works with a CDN, how edge and origin certificates differ, and how to avoid SSL errors, redirect loops and mixed content.
Introduction
When a CDN is placed in front of a website, visitors connect to the CDN edge first, not directly to the origin hosting server. This means HTTPS may exist in two places: between the visitor and the CDN, and between the CDN and the origin server.
A correct CDN HTTPS setup needs a valid edge certificate for the public hostname, a safe connection from the CDN to the origin, clean redirects and consistent hostname handling. If these layers are misconfigured, users may see SSL warnings, redirect loops, mixed content errors or intermittent HTTPS failures.
Quick answer
With a CDN, check both the public edge certificate and the origin connection. The CDN must serve a valid certificate for your domain, the origin should also support HTTPS, and redirect rules should not conflict between CDN, server and application. Test the public hostname, not only the origin server.
CDN HTTPS
A CDN or reverse proxy sits between visitors and the origin server.
Visitor browser
→ CDN edge
→ origin hosting server
There can be two TLS connections:
- Browser to CDN — the visitor sees the CDN’s edge certificate.
- CDN to origin — the CDN connects to your hosting server or origin application.
The certificate visitors see may be different from the certificate installed on the origin server.
Edge vs origin certificate
Edge certificate
- Where it is used: Between visitor and CDN.
- Who sees it: Browsers and public users.
- Must cover: Public hostname, such as example.com or www.example.com.
- Managed by: CDN or certificate provider.
Origin certificate
- Where it is used: Between CDN and origin server.
- Who sees it: The CDN, not normal visitors.
- Must cover: Origin hostname or expected SNI hostname.
- Managed by: Hosting provider, server admin, CDN or certificate authority.
If the edge certificate is valid but the origin connection is broken, the CDN may show 525, 526, 502 or similar HTTPS-related errors depending on provider.
CDN SSL modes
Many CDNs offer different SSL modes. Names vary by provider, but the idea is similar.
Off
No HTTPS at the CDN. Not recommended for public websites.
Flexible
Visitor uses HTTPS to CDN, but CDN may connect to origin over HTTP. Can cause redirect loops and weaker origin security.
Full
Visitor uses HTTPS to CDN, and CDN uses HTTPS to origin. Origin certificate may not always be fully validated depending on provider.
Full strict / verified
Visitor uses HTTPS to CDN, and CDN validates the origin certificate. Usually the safest production option.
Use provider-specific names and documentation, but prefer an end-to-end HTTPS setup where possible.
DNS and proxy status
When a CDN is active, DNS often points to the CDN instead of directly to the origin server.
- Root and www records point to CDN as intended
- Proxy status is enabled or disabled intentionally
- Origin IP is correct
- CDN hostname is configured
- Custom hostname is verified
- Edge certificate is issued
- DNS changes have propagated
If DNS bypasses the CDN, visitors may see the origin server certificate instead of the CDN certificate.
Why this matters
CDN HTTPS matters because SSL can fail at more than one layer. The public CDN edge may be correct while the origin certificate is expired, or the origin may be correct while the CDN edge certificate is missing. Redirect rules can also conflict between CDN, origin server and application.
A CDN improves performance and protection only when HTTPS, caching and redirects are configured consistently.
How to check CDN HTTPS
Use SSL Checker and Website Status Checker to test the public hostname exactly as visitors see it.
When checking CDN HTTPS, review
These seven checks help confirm CDN HTTPS is configured correctly.
Public certificate
Confirm the CDN edge certificate is valid for the hostname.
Origin certificate
Confirm the origin server has a valid certificate if the CDN connects over HTTPS.
SSL mode
Check whether CDN-to-origin HTTPS validation is strict or relaxed.
Redirect rules
Look for conflicts between CDN redirects, server redirects and application redirects.
Root and www
Confirm both hostnames are covered and redirect consistently.
Mixed content
Check whether HTTPS pages load HTTP assets.
CDN cache
Confirm old redirects or old certificates are not cached.
Check CDN HTTPS
Use SSL Checker and Website Status Checker to verify the public certificate, redirects and final HTTPS response.
Common problems
Edge certificate missing
HighThe CDN does not have a valid certificate for the public hostname.
Next step: Issue or activate the CDN edge certificate for the domain.
Origin certificate expired
HighThe CDN connects to an origin server with an expired certificate.
Next step: Renew the origin certificate or update CDN origin SSL settings.
Hostname mismatch at CDN edge
HighThe CDN edge certificate does not cover the requested hostname.
Next step: Add the hostname to the CDN certificate or correct DNS/proxy configuration.
Hostname mismatch at origin
MediumThe CDN connects to an origin hostname not covered by the origin certificate.
Next step: Install a certificate covering the origin hostname or adjust SNI/origin settings.
Flexible SSL causes redirect loop
HighThe CDN connects to origin over HTTP while the origin forces HTTPS.
Next step: Use full end-to-end HTTPS and remove conflicting redirect rules.
CDN and origin redirects conflict
HighBoth CDN and origin rewrite URLs differently, causing loops or chains.
Next step: Choose one redirect strategy and simplify rules.
CAA blocks CDN certificate issuance
MediumCAA records do not allow the certificate authority used by the CDN.
Next step: Update CAA records to allow the CDN’s certificate authority.
DNS bypasses CDN
MediumSome hostnames point directly to origin while others use CDN.
Next step: Align DNS records and proxy status intentionally.
Mixed content after CDN HTTPS
MediumThe page loads over HTTPS but assets still use HTTP.
Next step: Update asset URLs, CMS settings and CDN rewrite rules.
How to configure safely
-
Step 1: Confirm the intended hostname
Decide whether the site uses root, www or both.
-
Step 2: Check DNS and CDN routing
Confirm traffic for the public hostname goes through the CDN if intended.
-
Step 3: Issue the edge certificate
Activate or issue the CDN certificate for root, www and required subdomains.
-
Step 4: Secure the origin
Install a valid certificate on the origin server if CDN-to-origin HTTPS is used.
-
Step 5: Choose the correct SSL mode
Prefer end-to-end HTTPS with origin certificate validation where possible.
-
Step 6: Simplify redirects
Avoid conflicting HTTPS redirects in CDN, server and application.
-
Step 7: Fix application URLs
Update WordPress/CMS URLs, canonical tags, sitemaps and asset URLs to HTTPS.
-
Step 8: Purge CDN cache
Clear cached redirects, old headers and outdated content after changes.
-
Step 9: Test externally
Check the public hostname from outside the server.
Common CDN mistakes
Provider names and settings vary, but common CDN mistakes include:
- Using flexible SSL while the origin forces HTTPS
- Forgetting to issue an edge certificate
- Origin certificate expired
- Wrong SSL mode
- Orange-cloud or proxy status inconsistent
- Origin IP changed after migration
- Root and www configured differently
- Page rules redirecting to the wrong hostname
- WordPress still thinks the site is HTTP
- Old redirects cached at edge
The exact setting names depend on the CDN, but the troubleshooting logic is the same.
WordPress and CDN HTTPS
WordPress can create redirect loops or mixed content if it does not detect HTTPS correctly behind a CDN or proxy.
- WordPress Address URL
- Site Address URL
- HTTPS detection behind proxy
- Cache plugin CDN settings
- Mixed content replacement
- Canonical tags
- Sitemap URLs
- Security plugin redirect rules
- Server-level redirects
- CDN page rules
If WordPress thinks the request is HTTP while the visitor uses HTTPS at the CDN edge, redirect loops can happen.
Check examples
curl -I https://example.com
curl -I http://example.com
openssl s_client -connect example.com:443 -servername example.com
dig example.com A
dig www.example.com CNAME
dig example.com CAA
Browser → HTTPS → CDN edge → HTTPS → origin server
Browser → HTTPS → CDN edge → HTTP → origin forcing HTTPS → redirect loop
These examples are illustrative. Replace example.com with your real domain and check your CDN provider’s exact settings.
CDN HTTPS checklist
Confirm the following for a consistent CDN HTTPS setup.
- CDN is active for intended hostnames
- Edge certificate covers root, www and subdomains
- Origin certificate is valid
- SSL mode is correct
- CAA allows CDN certificate issuance
- HTTP redirects are not duplicated
- Root and www behave consistently
- WordPress or CMS URLs use HTTPS
- Mixed content is fixed
- CDN cache was purged after changes
- Public SSL check passes
- Website status check returns final 200
Frequently asked questions
Do I need SSL on the origin server if I use a CDN?
For a proper end-to-end HTTPS setup, yes. The CDN edge and the origin connection should both be secured.
Why does SSL work at the origin but not through the CDN?
The CDN edge certificate may be missing, not issued, or not covering the public hostname.
Why does SSL work at the CDN but origin shows errors?
The origin certificate may be expired, mismatched or not trusted by the CDN.
What causes CDN HTTPS redirect loops?
Common causes include flexible SSL, conflicting CDN/origin redirects or applications that do not detect HTTPS behind a proxy.
Can CAA records block CDN SSL?
Yes. If CAA does not allow the CA used by the CDN, edge certificate issuance can fail.
Why do users see a different certificate than my server has?
Visitors see the CDN edge certificate, not necessarily the origin server certificate.
Should redirects be configured at CDN or origin?
Either can work, but avoid conflicting rules. Use one clear redirect strategy.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!