526 error on SSL FULL STRICT (ORIGINAL CERTIFICATION )

Hi all.
Ran into a problem with SSL FULL STRICT, re-created all the Original certificates, plugged into the web server, enabled “Authenticated Origin Pulls”, dns ip number was changed (before the domain was here, everything worked perfectly, not after the change of ip), now gives 526 error, if you do not switch mode STRICT, but just FULL all work fine, with STRICT not, also use a certificate from CA Cloudflare, to verify the request.

Greetings,

Thank you for asking.

May I ask what happens when you disable this? :thinking:

May I ask if the A www and A domain.com DNS records are both proxied and set to :orange:? If not, switch them both to :orange:

Sounds like the “re-created” certificates are self-signed at your origin host/server? :thinking:

Otherwise, you might be using GoDaddy hosting (I am just guessing)? → lately there was a topic wher the customer had issue with it :frowning:

1 Like

I tried turning off “Authenticated Origin Pulls” - it had no effect, I have a VDS(not GoDaddy hosting)

1 Like
1 Like

That didn’t work for me, I tried everything.

Hmm… Then you should contact Cloudflare support by clicking on the link titled “Cloudflare support”, then click “Submit a request”! If you receive an auto reply stating your ticket has been closed, please post the ticket number here so we can escalate it!

The system did not produce similar solutions to my problem.

What is your plan?

free.

I need to send an email with a link to this ticket, or am I missing something?

You can send it directly from that email address (I.E: If you have a google account, you should be able to send them an email from Gmail or Yahoo!) However, do NOT post a direct link to the support ticket! Instead, post the support ticket number here (once you get an auto-reply)!

I wrote an email, the system gave me the guide you threw above, nothing helps me, ID: #2375003 request

If you tried to troubleshoot all from the stated articles, therefore still experience the error, then I am afraid you should choose Full as it’s the only way when your website is working while using Cloudflare for your domain name.

1 Like

Alas, this is not the solution in my case, I need a strict

Are they issued by the Let’s Encrypt / ACME / Certbot / cPanel AutoSSL, or?

Or rather are you using Cloudflare Origin CA certificate?

Okay, but the SSL certificate contains a domain name (including the www prefix and any other related sub-domain like mail, etc.) and it has to be a valid one for your domain name?

Kindly, you could determine this by:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error related to the SSL certificate in your Web browser.
  4. Only then should you un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

1 Like

Did you try quickfix item 1? Specifically, please run this command and share the output here please

curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

Replace example.com with your domain and the 123 ip with the value of your dns A record.

1 Like
  • Expire in 0 ms for 6 (transfer 0x5600e3a35c10)
  • Added www.example.com:443:123.123.123 to DNS cache
  • Hostname www.example was found in DNS cache
  • Trying 123.123.123.123…
  • TCP_NODELAY set
  • Expire in 200 ms for 4 (transfer 0x5600e3a35c10)
  • Connected to example.com (123.123.123.123) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
    } [5 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.example:443
  • Closing connection 0

I am getting a different error

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [228 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [742 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self signed certificate
* Closing connection 0

Looks like @fritex called it correctly

1 Like

I don’t know, maybe, how to check it? if even so, how to get rid of it? fix it?

I’ve got few questions how did you got it in first place, therefore try the suggested steps to temporary Pause Cloudflare for your site. Wait for some time.
I suggest you “Pause Cloudflare on Site” for those (or switch those DNS entries to :grey: DNS Only, and get the sites up and running with HTTPS before you proxy them with Cloudflare.
Then, re-run the renewing process of the SSL certificate for your domain and once you established a valid HTTPS connection using a valid SSL certificate, un-pause it and the error 526 shoud be gone while using Full Strict option:

Maybe it’s related to the host:

1 Like