526 error, Origin certificate and Comodo Certificate Full (strict) mode


I’ve just spent my day trying to get rid of the 526 error ! I really don’t know why I have this error because I do have an Origin Certificate, and I also have a Comodo certificate. I tried to remove the Comodo certificate, it still didn’t worked, I tried to remove the Origin certificate, it didn’t worked too.

So I reinstalled both of them and at the moment I have the two certificates, I’m in Full strict mode and I still have the 526 error.

What should I do ? My website is https://www.chaise-de-gamer.fr let me know if you need anything else. (Sorry for my English I’m French)

Thanks in advance!

What is the served certificate if you go directly to the origin, bypassing Cloudflare?

I’m not sure how to do that, but I think I have to remove all the orange clouds on the “DNS category” so it shows “DNS ONLY”?

I did that and the served certificate is actually “CloudFlare Origin Certificate”

Yes, that is the way. Can you do that now, please (note that it will show your IP for some time, I’d require no more than 5 minutes)?

Done! All the orange clouds are removed and everything is “DNS ONLY” it should be ok! Thanks!

Put them back, I’m done. Thanks.

It’s not serving the Cloudflare Origin certificate.

% curl -Ikv --resolve www.chaise-de-gamer.fr:443:109.234.xxx.xxx https://www.chaise-de-gamer.fr
* Added www.chaise-de-gamer.fr:443:109.234.xxx.xxx to DNS cache
* Hostname www.chaise-de-gamer.fr was found in DNS cache
*   Trying 109.234.xxx.xxx...
* Connected to www.chaise-de-gamer.fr (109.234.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=FR; ST=France; L=xxx; O=o2switch; OU=o2switch; CN=ipxtender01.jabatus.fr; [email protected]
*  start date: Sep 17 15:48:22 2017 GMT
*  expire date: Sep 17 15:48:22 2018 GMT
*  issuer: C=FR; ST=France; L=xxx; O=o2switch; OU=o2switch; CN=xxx.xxx.xx; [email protected]
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fec82010a00)
> Host: www.chaise-de-gamer.fr
> User-Agent: curl/7.64.1
> Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 503 
HTTP/2 503 
< date: Tue, 15 Sep 2020 21:46:29 GMT
date: Tue, 15 Sep 2020 21:46:29 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< server: o2switch-PowerBoost-v3
server: o2switch-PowerBoost-v3

* Connection #0 to host www.chaise-de-gamer.fr left intact
* Closing connection 0

Oh! Thanks it explain everything! Do you think it could work if I delete all the certificates excepted the Cloudflare Origin Certificate? I will try this right now

That I have no clue, given that each server has it’s own configuration, but it could be.

The only certificate left on my cpanel is now the Cloudflare Origin Certificate. I just did a “curl” by copy pasting your command on terminal, and it still shows “self signed certificate (18)”

The only thing I can do now, is contacting my hosting support I think?

Yup, I believe that’s the solution…

Ok so they said :

"You use CloudFlare on your side, it is CloudFlare who delivers the SSL.

We cannot generate SSL on our end because you are using cloudflare, which is why you are seeing self-signed SSL."

I didn’t really understood but it’s like I can’t do anything to get it work. I think I will just have to delete CloudFlare…

Also I don’t know why, but my cpanel is correctly working and has the CloudFlare certificate and no error, even on full (strict).

Tell them you will provide the certificate details to them, also, suggestion: change hosting.