Error 526 after Origin CA certificates installation with Full (strict) mode

I’ve installed a Cloudflare Origin CA certificates in my origin host (Hostgator via Cpanel) to be able to switch into Full (strict) encryption mode But I’ve got this error when I open my website:

Error 526 Ray ID: 5d0410d90e5de92c • 2020-09-09 21:40:07 UTC

Invalid SSL certificate

Snapshot:

I want to know what to do if the certificate is not validated

Can you run this command, replacing the IP address with the IP address of your origin, and check if the result is the Origin certificate, or something else:

echo | openssl s_client -connect ORIGIN-IP-ADDRESS-HERE:443 -servername dynebow.com -tls1_2 2> /dev/null | sed -n '/Certificate chain/,/---/p'

Using an old origin IP for your domain from SecurityTrails, I get the following output:
Certificate chain

 0 s:/CN=*.hostgator.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
1 Like

Thank you @michael !

I tried the command line above with two IP addresses (Server IP and Shared IP Address) and nothing changed.

When I use the command line below, I get a fail message with “Host is Down”

$ curl -svo /dev/null --resolve dynebow.com:443:MY-SERVER-IP https://dynebow.com/

  • Added dynebow.com:443:MY-SERVER-IP to DNS cache
  • Hostname dynebow.com was found in DNS cache
  • Trying MY_SERVER_IP…
  • TCP_NODELAY set
  • Immediate connect fail for MY_SERVER_IP: Host is dow
  • Closing connection 0

I got the same thing with my Shared IP adress

I would not expect anything to change. I’m interested in what certificate is presented by your server, which that command should give. (If you get no result, remove the element after /dev/null, you will get more output but it will contain the certificate details, which is the important bit.)

With SSL Full, you can use any certificate you like, even an expired self signed certificate for the wrong hostname. For Full (Strict) the certificate must match the hostname, must be in date, and must be issued by a trusted CA (or be a valid Cloudflare Origin certificate that matches the hostname).

The only IP address that is relevant is the one you have configured for that hostname in Cloudflare.

You might need to open your hosts firewall if you have blocked access except from Cloudflares IP addresses.

1 Like

Thank you for your detailed reply, @michael !

From my terminal on MacOS High Sierra, I didn’t get any output even by removing the element after /dev/null.

But I asked a support agent from Hastgator to do it for me , and they had the output below:

-jailshell-4.1$ echo | openssl s_client -connect ORIGIN_IP_ADDRESS:443 -servername dynebow.com -tls1_2 2> /dev/null | sed -n ‘/Certificate chain/,/—/p’
Certificate chain
0 s:/O=CloudFlare, Inc./OU=CloudFlare Origin CA/CN=CloudFlare Origin Certificate
i:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California
1 s:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California
i:/C=US/O=CloudFlare, Inc./OU=CloudFlare Origin SSL Certificate Authority/L=San Francisco/ST=California

Please @michael, could you look at my previous reply?

For those interested: I tried with a Lest’s encrypt SSL certificate and the Full (Strict) mode worked, the problem is that when I Log in through WordPress admin, the 526 error reappears, for that I created a Page Rule where I set SSL on Full mode.

But I still don’t know why Full (Strict) mode didn’t work with the CloudFlare Origin CA Certificate.

This topic was automatically closed after 30 days. New replies are no longer allowed.