Cloudflare 526 disruption re SSL issued by Google Trust Services (WE1)

What is the name of the domain?

humus.io

What is the error number?

526

What is the error message?

Invalid SSL certificate

What is the issue you’re encountering

website is not accessible

What steps have you taken to resolve the issue?

Filed abuse report implicating Cloudflare: SSL shows valid and I have not changed any cloudflare DNS settings since the website was live on 6/6/2024
https://cf.sjr.org.uk/tools/check?170df23940c74fe6a87f713cc0718ae0

What feature, service or problem is this related to?

DNS not responding/updating

What are the steps to reproduce the issue?

refresh URL

Screenshot of the error

If this is the site on GoDaddy with IP address ending in .100, it doesn’t have a valid certificate. It’s using a generic GoDaddy cert.

You filed an abuse report here at Cloudflare?

1 Like

Yes, cloudflare is implicated in the 526 Error, as nothing has changed by me on Cloudflare, or the Registrar or Server side, and Edge SSL Certificate, Issued by Google Trust Services (WE1) shows valid “8 August 2024 01:21:39 UTC to 6 November 2024 01:21:38 UTC” according to check tool link I posted. The website has been live uninterrupted from June 6, 2024, until sometime today. The issue can only be internal to cloudflare unless shown otherwise.

Is your site hosted at GoDaddy with a server IP address that ends in .100?

no

https://drive.google.com/drive/folders/1ZxBF1E_UWETeYTjuxIxLB2xfVI9j096J?usp=sharing

Give these instructions a try:

It’s the link that’s in your initial post about the 526.

If that’s not feasible, then Pause Cloudflare, and make sure site is working as expected with HTTPS. Only then should you un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

2 Likes

Cloudflare has been able to “successfully validate the SSL certificate on the origin web server” until today and nothing has changed anywhere else unless demonstrated by Cloudflare.

If that’s going to be the extent of your troubleshooting, you’ll have to wait until Cloudflare looks into this for you.

2 Likes

That’s my point, Cloudflare is responsible for the downtime.

The situation smacks of help for ransom.

Under the circumstance it doesn’t make sense for me to touch anything on Cloudflare side as the issue is obviously internal to Cloudflare. Will the paid Cloudflare “community” admins please escalate this to support!

Given that your domain’s email is hosted at Google, it appears the site is, as well.

And your certificate there expired a couple of nights ago:

* Server certificate:
*  subject: CN=www.humus.io
*  start date: Jun  7 22:26:35 2024 GMT
*  expire date: Sep  5 23:16:26 2024 GMT
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

There’s no need to escalate this to Support.

2 Likes

Thank you @sdayman that would have saved us both time up front. I’ll hit the untrustworthy almighty Google Trust Services up and report back.

1 Like

@sjr

Before I submit a support request to the almighty, why the discrepancy @sdayman ?

You maintain the websites perhaps you can tell us? A 526 error means an invalid cert on your origin server. That isn’t something Cloudflare can solve for you.

1 Like

Thanks @cscharff but I cited a source for validity and @sdayman has not.

@sdayman knows a thing or two about a thing or two. He provided evidence in his post.

2 Likes

Google Workspace Support, Salma

12:05 AM

Cloudflare provides free SSL certificates. As the error is related to SSL certificate please reach out to the Cloudflare support.

Google Workspace Support, Salma

12:05 AM

And the issue is not with google sites.

Google Workspace Support, Salma

12:14 AM

I wish I could be more helpful but Kurt as I am from the specialist I can tell you the issue is not related to Google.

Cloudflare DNS settings have worked fine since 6/6/2024 until today, per Namechep advises Cloudflare DNS for https redirect DEBACLE for Google Sites

Will Cloudflare support please resolve the issue instead of paying “community” admins to run members in circles?

e.g.

I really wish you would have given Pausing Cloudflare a try.

As I said, you’re using Google Sites. Which means you have a CNAME that points to ghs.googlehosted.com which resolves like this:

% host ghs.googlehosted.com
ghs.googlehosted.com has address 142.250.72.179

So, let’s bypass Cloudflare, and connect directly to your server, completely removing Cloudflare from the situation.

% curl -svo /dev/null https://www.humus.io --connect-to ::142.250.72.179 
* Connecting to hostname: 142.250.72.179
*   Trying 142.250.72.179:443...
* Connected to 142.250.72.179 (142.250.72.179) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [317 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [4021 bytes data]
* SSL certificate problem: certificate has expired
* Closing connection

Well, shoot, we can’t connect because the certificate has expired. Let’s take a closer look by ignoring an invalid cert (this goes for a bit, so you’ll have to scroll within the response textbox):

% curl -skvo /dev/null https://www.humus.io --connect-to ::142.250.72.179
* Connecting to hostname: 142.250.72.179
*   Trying 142.250.72.179:443...
* Connected to 142.250.72.179 (142.250.72.179) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [317 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [4021 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.humus.io <~~~~~~~~There's your hostname, so we're in the right place
*  start date: Jun  7 22:26:35 2024 GMT
*  expire date: Sep  5 23:16:26 2024 GMT <~~~~~ And there it is…expired very recently
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
3 Likes

What’s up with Cloudflare “free DNS/SSL” !?