Community Tip - Fixing Error 526: Invalid SSL certificates

#1

Error
Try the suggestions in this Community Tip to help you fix Error 526: Invalid SSL certificate.

Background
Error 526 indicates Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the SSL setting in the Cloudflare Crypto app is set to Full SSL (Strict) for the website. When this happens, you’ll see “Error 526: Invalid SSL certificate”.

Quick Fix Ideas

  1. If the origin server is configured to use a self-signed certificate and you’d like to have Cloudflare connect using SSL, configure the domain to use Full SSL instead of Full SSL (Strict). Change your SSL settings on the Crypto tab from ‘Full (strict)’ to ‘Full’ or install a valid certificate on your origin server. Read more about what do the SSL options mean? To test to see if your origin has a self-signed certificate, run the following cURL command: curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/, replace example.com with your domain name and 123. with your origin IP address. The response from an origin server with a self-signed certificate will contain * SSL certificate problem: self signed certificate. A self-signed certificate secures the connection between Cloudflare and your origin but will cause a 526 error when you try to connect to the origin directly.

  2. Check to make sure the certificate hasn’t expired, the certificate isn’t revoked, and that the certificate is signed by a certificate authority such as GlobalSign, Verisign, GeoTrust, Comodo, etc and is not a self-signed SSL certificate. If your certificate is expired or self-signed, change the SSL setting on your Crypto tab to Full SSL instead of Full (Strict). Read about the differences between our SSL options.

  3. Check to make sure the requested domain name (hostname) is in the certificate’s Common Name or Subject Alternative Name (SAN) configuration. If you added a CNAME record for the hostname on Cloudflare, the Common Name or SAN may also match the CNAME target.

Lite Reading

Background Resources
Knowledge Base
YouTube

Research The Issue
Community
Google

If You Need More Help
This community of other Cloudflare users may be able to assist you, if not, login to Cloudflare and then contact Cloudflare Support. When you contact support, make sure to include as much of this information as possible: time stamped log files from your origin server, RayID, domain name, error messages, screen shots, and/or HAR file(s).

Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments like: “What are the three things to always try”, or “Do this first” or “In my experience”.

This is a Cloudflare Community Tip, to review past tips click here.

Error 526: Invalid SSL certificate but certificate is active
ERROR 526 in my site (ssl)
ACTIVE SSL but Site says NOT SECURE
Website stoped working on change of SSL on my hosting server
Problem with security certificate
Error 526 Invalid SSL Certificate
Error 526: on Full Strict SSL with lets encrypt
I can't access my website. HELP!
Its been more than 24 hours, my domain didnt get a ssl
Community Tip - All Published Tips
Please help me!
How do I change my nameservers in CloudFlare?
Do I need CNAME for subdomains to work?
Universal SSL with "Active Certificate" Status Fails
My ssl is not working
Website not working after http change to https
526 SSL error
Help me plss
#2
#3

This topic was automatically closed after 5 days. New replies are no longer allowed.