Community Tip - Fixing Error 526: Invalid SSL certificates

Error
Try the suggestions in this Community Tip to help you fix Error 526: Invalid SSL certificate.

Background
Error 526 indicates Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the SSL setting in the Cloudflare SSL/TLS app is set to Full SSL (Strict) for the website. When this happens, you’ll see “Error 526: Invalid SSL certificate”.

Quick Fix Ideas

  1. If the origin server is configured to use a self-signed certificate and you’d like to have Cloudflare connect using SSL, configure the domain to use Full SSL instead of Full SSL (Strict). Change your SSL settings on the SSL/TLS app from ‘Full (strict)’ to ‘Full’ or install a valid certificate on your origin server. Read more about what do the SSL options mean? To test to see if your origin has a self-signed certificate, run the following cURL command: curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/, replace example.com with your domain name and 123. with your origin IP address. The response from an origin server with a self-signed certificate will contain * SSL certificate problem: self signed certificate. A self-signed certificate secures the connection between Cloudflare and your origin but will cause a 526 error when you try to connect to the origin directly.

  2. Check to make sure the certificate hasn’t expired, the certificate isn’t revoked, and that the certificate is signed by a certificate authority such as GlobalSign, Verisign, GeoTrust, Comodo, etc and is not a self-signed SSL certificate. If your certificate is expired or self-signed, change the SSL setting on your SSL/TLS app to Full SSL instead of Full (Strict). Read about the differences between our SSL options.

  3. Check to make sure the requested domain name (hostname) is in the certificate’s Common Name or Subject Alternative Name (SAN) configuration. If you added a CNAME record for the hostname on Cloudflare, the Common Name or SAN may also match the CNAME target.

Lite Reading

Background Resources
Help Center
YouTube

Research The Issue
Community
Google

If You Need More Help
This community of other Cloudflare users may be able to assist you, if not, login to Cloudflare and then contact Cloudflare Support. When you contact support, make sure to include as much of this information as possible: time stamped log files from your origin server, RayID, domain name, error messages, screen shots, and/or HAR file(s).

Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments like: “What are the three things to always try”, or “Do this first” or “In my experience”.

This is a Cloudflare Community Tip, to review past tips click here.

Çevirme…traduzir…翻译…traducir…Traduire…Übersetzen…:greyg: Translate this Tip

FXISCT 102119