DNS mode only but getting 526: Invalid SSL certificate

We have an A record setup in one of our domains that is configured to just use DNS and not proxy because we have our own TLS setup, inhouse CA, client certificate authorization etc etc, so we definitely only want DNS and not proxy mode. This all was working fine for maybe 2 years, and today all of a sudden we are seeing almost nothing but “526: Invalid SSL certificate” responses from our endpoint - the response body includes html markup that seems to be generated by CF and not us (we don’t return HTML, it’s a REST api).

I can’t find anything about this error that isn’t related to using proxy mode. Can anyone shed any light on whats going on here? I feel that if this isn’t resolved soon we might have to ditch CF for this endpoint really rather quickly as it’s affecting our customers.

That is a Cloudflare proxy error. What is the hostname? Are you sure the proxy wasn’t turned on by accident?

Hi - thanks for responding. Absolutely positive that proxy mode is off. I’ve checked it time and again.

Maybe i should toggle it a couple of times, maybe it’s got into a funky state somehow?

Use DNS on the machine to lookup the value. What does it resolve to?

…and are you using Warp by chance when you get the error?

Not using Warp (don’t even know what that is). DNS hasn’t changed - I’ve confirmed it’s resolving to correct IP address of our public load balancer IP address. It’s been working fine for 2 years and it’s just begun to return these weird errors today. Not all the time, but very often. I just can’t understand why CF would be intercepting anything when on DNS only mode.

Perhaps DNS returns the wrong IP every so often. I’ll setup a script to resolve the host name on a loop and report any reply that isn’t the IP address of our LB.

We are experiencing the same issue. DNS only mode was working for years, but now the hostname resolves to Cloudflare IPs in most (but not all) instances.

@andy46: Did you resolve this somehow or find out anything?

Hi. Yes we did. So CF must have changed the way certain things work in certain scenarios because as I’ve said already, we had been running fine for about 2 years until this week. We had the following setup:

A. domain => PROXY
CNAME. host => domain DNSONLY

This worked fine until Monday. Requests would alternate between being direct or being proxies, roughly 1 in 5 would proxy until all did by Wednesday.

My colleague in the end just tried creating a new A record to point to same IP and made this one DNSONLY and that finally fixed it. So it would seem the entire dns route has to be DNSONLY for it to work. This didn’t used to be the case.

Great, thanks for the info! I’ll temporarily switch to an A record until this is resolved by Cloudflare.

Glad we weren’t the only ones bitten - was starting to think we were going insane. Every response from CF support was the same: fix your certificate, regardless of how many times we explained we wanted direct dns only - no proxy. Anyway, we will be keeping the new dns setup incase this is resolved and then breaks again.

Cloudflare has acknowledged the issue meanwhile and implemented a fix.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.