526 error on SSL FULL STRICT (ORIGINAL CERTIFICATION )

Are they issued by the Let’s Encrypt / ACME / Certbot / cPanel AutoSSL, or?

Or rather are you using Cloudflare Origin CA certificate?

Okay, but the SSL certificate contains a domain name (including the www prefix and any other related sub-domain like mail, etc.) and it has to be a valid one for your domain name?

Kindly, you could determine this by:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error related to the SSL certificate in your Web browser.
  4. Only then should you un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

1 Like

Did you try quickfix item 1? Specifically, please run this command and share the output here please

curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

Replace example.com with your domain and the 123 ip with the value of your dns A record.

1 Like
  • Expire in 0 ms for 6 (transfer 0x5600e3a35c10)
  • Added www.example.com:443:123.123.123 to DNS cache
  • Hostname www.example was found in DNS cache
  • Trying 123.123.123.123…
  • TCP_NODELAY set
  • Expire in 200 ms for 4 (transfer 0x5600e3a35c10)
  • Connected to example.com (123.123.123.123) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
    } [5 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.example:443
  • Closing connection 0

I am getting a different error

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [228 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [742 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self signed certificate
* Closing connection 0

Looks like @fritex called it correctly

1 Like

I don’t know, maybe, how to check it? if even so, how to get rid of it? fix it?

I’ve got few questions how did you got it in first place, therefore try the suggested steps to temporary Pause Cloudflare for your site. Wait for some time.
I suggest you “Pause Cloudflare on Site” for those (or switch those DNS entries to :grey: DNS Only, and get the sites up and running with HTTPS before you proxy them with Cloudflare.
Then, re-run the renewing process of the SSL certificate for your domain and once you established a valid HTTPS connection using a valid SSL certificate, un-pause it and the error 526 shoud be gone while using Full Strict option:

Maybe it’s related to the host:

1 Like

I contacted tech support, they disabled the certificate that was signed by my server and temporarily disable the protection against DDOS, so that nothing conflicts, can you look again? Error 526 is still there.

@fritex Sorry to mention, the posting system won’t let me send a message, says to wait 12 hours, had to mention it.

I am sorry to say, but I am afraid I cannot because I cannot find your domain name being shared here as it wasn’t even posted before :confused:

Again, if you cannot get a valid Let’s Encrypt / AutoSSL certificate for your domain name and want Full (Strict) SSL, options are:

  1. Purchase an SSL certificate which covers your naked (root) domain + www + any other sub-domain (if you are using it)
  2. Use Cloudflare Origin CA certificate

rainford-rp.ru

I use Original and Edge Certificates from Cloudflare

Great, but did you also added the Cloudfare Root CA?

Here:

Source:

I can still see the same error:

Maybe your hosting doesn’t allow you this.

There was one particular topic lately, where we spent almost a week and more than 70 posts, or even more, where user used Cloudflare Origin CA certificate, but GoDaddy didn’t supported it, and was throwing all the times no matter what SSL option user selects, always 525 error → similar error, but the hosting didn’t accepted Cloudflare Origin CA certificate.

If your site is working fine with Full, then leave it on Full. Otherwise, I am afraid you should try to either setup it on some custom domain, or to use sub-domain and different hosting provider, or use some other hosting provider for your main domain to try out.

Forcing Full (Strict) when it’s not working, I am sorry but I do not understand why would we.

1 Like

Hmm, pretty weird, I even turned off L7 protection, as maybe they could conflict with the claud, self-signed certificate from the server side also turned off, maybe the trouble is in my server configuration? Cloudfare Root CA needs to be used where? in the client request confirmation?(ssl_client_certificate(nginx)), I could be wrong.

Come on, we had these discussions a million times. Advising people to disable their site’s security really is not a good idea.

There’s a reason we have articles on that.

1 Like

No, just put it into the /etc/ssl where all other are located.

Maybe your hosting doesn’t have it and therefore throws this error too.

Otherwise, maybe … may I ask is your hosting provider offering ModSecurity or Imunify360 to you? :thinking:

And we are going in a loop of guessings I am afraid.

2 Likes

Oh… I don’t know at all( maybe?

Try to ask them if so, maybe that’s the issue here.

1 Like

Supported

I tried a complete reinstallation of the operating system, put a clean web server there and re-issue the cloud certificates, it had no effect(

curl -svo /dev/null --resolve rainford-rp.ru:443:x.x.x.x https://rainford-rp.ru/
I tried to run the command on the documentation, to check if the server has a self-signed certificate, the answer was different.

* Expire in 0 ms for 6 (transfer 0x5629e1597c10)
* Added rainford-rp.ru:443:x.x.x.x to DNS cache
* Hostname rainford-rp.ru was found in DNS cache
*   Trying x.x.x.x...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5629e1597c10)
* Connected to rainford-rp.ru (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1206 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0