Try the suggestions in this Community Tip to help you fix Error 526: Invalid SSL certificate.
Error 526 indicates Cloudflare is unable to successfully validate the SSL certificate on the origin web server and the SSL setting in the Cloudflare Crypto app is set to Full SSL (Strict) for the website. When this happens, you’ll see “Error 526: Invalid SSL certificate”.
Quick Fix Ideas
If the origin server is configured to use a self-signed certificate and you’d like to have Cloudflare connect using SSL, configure the domain to use Full SSL instead of Full SSL (Strict). Change your SSL settings on the Crypto tab from ‘Full (strict)’ to ‘Full’ or install a valid certificate on your origin server. Read more about what do the SSL options mean? To test to see if your origin has a self-signed certificate, run the following cURL command:
curl -svo /dev/null --resolve example.com:443:220.127.116.11 https://example.com/, replace
example.comwith your domain name and
123.with your origin IP address. The response from an origin server with a self-signed certificate will contain
* SSL certificate problem: self signed certificate. A self-signed certificate secures the connection between Cloudflare and your origin but will cause a 526 error when you try to connect to the origin directly.
Check to make sure the certificate hasn’t expired, the certificate isn’t revoked, and that the certificate is signed by a certificate authority such as GlobalSign, Verisign, GeoTrust, Comodo, etc and is not a self-signed SSL certificate.
Check to make sure the requested domain name (hostname) is in the certificate’s Common Name or Subject Alternative Name (SAN) configuration. If you added a CNAME record for the hostname on Cloudflare, the Common Name or SAN may also match the CNAME target.
If You Need More Help
This community of other Cloudflare users may be able to assist you, if not, login to Cloudflare and then contact Cloudflare Support. When you contact support, make sure to include as much of this information as possible: time stamped log files from your origin server, RayID, domain name, error messages, screen shots, and/or HAR file(s).
Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments like: “What are the three things to always try”, or “Do this first” or “In my experience”.