CF didn't like my new Let's Encrypt certificate

I got 526 after installing the cert-manager issued certificate. I don’t understand why?!?
I paused CF trying to inspect the cert with
ssl shopper

Which I got: resolves to No SSL certificates were found on Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.

But this is because of my router doesn’t let any IP in other than CF IPs

So I tried
echo | openssl s_client -showcerts -servername -connect [redacted internal ip]:443 2>/dev/null | openssl x509 -inform pem -noout -text

which shows me a good certificate :expressionless:

I had to change the level to Full from Full (strict). Is there a way to put this back to Full Strict?

I have a similar issue.

I created a new Let’s Encrypt certificate today and deployed it on my server. When I tried to visit my website (with DNS proxy on), it gave me a 526 error.

However, when I disabled the DNS proxy (meaning a direct connection), everything looked normal. I verified it with openssl, the “ssl shopper”, and a couple of modern browsers. All said I had a valid certificate which was signed by Let’s Encrypt.

(Didn’t realize I couldn’t edit my post…)

I’m pretty sure this is unrelated, but just wanted to include for a better view - I created my new cert with certbot and used DNS-01 for verification. The certificate chain is: ISRG Root X1R3 → my domain.

1 Like

I figured out the problem. It was my mistake in my Helm chart I wasn’t creating the certificates properly. Once that’s fixed I could set it back to Full-Strict. ■■■■ works!


I figured out my problem, well, in a different way. The certificate I had was properly generated, but the cipher I used below was not accepted by Cloudflare’s edge servers.