Error 525, 526 for CNAME using full(strict) mode

My maindomain.com works fine on full(strict) for some odd reason this morning the service which is on
service.maindomain.com stopped working.

service.maindomain.com is a CNAME set to another website.

If I leave my settings to full and not strict the error message goes away.

Please help me understand what’s going on in the background, why is this error showing up for me, and what steps can I take to diagnose the issue.

Thank you

Full (Strict) requires a valid certificate - either a publicly trusted certificate (i.e Let’s Encrypt) or a Cloudflare origin certificate.

Full will accept any self-signed certificate.

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/

And should never be selected.

I’m continuing to have this issue but now I’m on full, not strict.

mydomain.com has a Cloudflare origin cert installed.
mydomain.com redirects → to subdomain.mydomain.com which is set as a CNAME to otherdomain.com which does have a valid SSL cert but is not under my control.
accessing mydomain.com/page loads fine, but accessing the homepage, which redirects to the CNAME is where I’m having issues.

Can full strict be used with CNAMEs set?

Somewhere between the redirect and CNAME to subdomain.mydomain.com I’m getting error 525, on full, not strict, and 526 on full (strict).

I’ve ran curl -svo /dev/null https://www.example.com --connect-to ::203.0.113.34 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$" on both my domain and my server IP as well as the CNAME domain and their server IP.

Both commands returned with SSL certificate verify ok.

At this point I believe the CNAME or redirect are at fault here.

I’ve removed the proxy to the CNAME and reverted to full Strict.
I’m doubt this is ideal, but it’s the only thing that’s resolved the 525/526.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.