My custom domain SSL isn't working
Cloudflare proxy vs DNS-only mode, certificate provisioning timing, CAA record conflicts, and the retry flow — fix SSL errors on your custom domain step by step.
You added your custom domain in Admin → Settings → Custom Domain and pointed your DNS to VeloCMS, but now your browser shows a certificate error, an insecure connection warning, or the domain just doesn't resolve at all. SSL provisioning has a few known failure modes — here's how to diagnose and fix each one.
The single most important thing to check first
VeloCMS uses Cloudflare for SaaS to provision SSL certificates for custom domains. For this to work, your DNS record for the custom domain MUST be set to DNS-only mode (the gray cloud icon in Cloudflare, not the orange proxied cloud). If your domain is proxied through Cloudflare (orange cloud), Cloudflare will try to handle SSL itself using its own certificate, which will conflict with VeloCMS's certificate provisioning and result in an SSL error or a cert mismatch.
Gray cloud (DNS-only) is mandatory for VeloCMS custom domains. Orange cloud (Proxied) is NOT supported and will break SSL. This is the cause of the majority of custom domain SSL failures we see.
Step 1 — Check your DNS record
- Log in to Cloudflare (or your DNS provider) and find the CNAME record for your custom domain.
- The CNAME value should point to proxy.velocms.org.
- If you're using Cloudflare, click the orange cloud icon next to the record to toggle it to gray (DNS-only).
- If you're using a non-Cloudflare DNS provider (Namecheap, Google Domains, etc.), simply ensure the CNAME points to proxy.velocms.org — there's no proxy toggle to worry about.
- Save the change and wait 5 minutes for DNS to propagate.
Step 2 — Trigger certificate provisioning
After your DNS record is correct, go back to Admin → Settings → Custom Domain and click Verify Domain. This triggers VeloCMS to issue a new Cloudflare for SaaS certificate for your domain. Certificate provisioning typically takes 2–5 minutes. You'll see the status change from Pending to Active. Reload the admin page after 5 minutes if it's still Pending.
CAA records blocking certificate issuance
CAA (Certificate Authority Authorization) records tell certificate authorities which CAs are allowed to issue certificates for your domain. If your domain has a CAA record that doesn't include Digicert (the CA that Cloudflare uses for its for SaaS certificates), the provisioning will fail silently — the status stays Pending indefinitely.
# Check for CAA records on your domain
dig CAA yourdomain.com
# If you see CAA records, add one that permits Digicert:
# yourdomain.com. 300 IN CAA 0 issue "digicert.com"If you have CAA records and they don't include digicert.com, add one. You can have multiple CAA records — adding digicert.com doesn't remove the others. If you have no CAA records at all, you're fine — the absence of CAA records means all CAs are permitted.
Certificate shows as active but browser still shows error
If Admin shows the certificate as Active but your browser still shows an error, the issue is usually a cached bad cert in your browser. Try the domain in an incognito window or a different browser. Also try clearing your browser's SSL state — in Chrome, this is at chrome://settings/security → Manage device certificates. On macOS, you may also need to flush the system DNS cache.
If you changed your DNS from pointing to another host to VeloCMS, your readers' browsers may have cached the old certificate for up to 24 hours. This resolves on its own — it is browser-side cache, not DNS cache.
Domain shows the wrong site
If your custom domain resolves but shows the VeloCMS landing page instead of your blog, the domain verification step wasn't completed inside VeloCMS admin. Go to Admin → Settings → Custom Domain, confirm the domain is listed there, and that the status shows Active. If the domain isn't listed at all, add it and complete the verification flow before your DNS change takes effect.