Error 526 in my site. It was working fine until now

Error 526 in site www.kiotssomarket.com It was working fine and I haven’t done any change to my site recently

Greetings,

Thank you for asking.

I am sorry to hear you are experiencing an issue with Error 526 for your domain name.

Before moving to Cloudflare, was your Website working over HTTPS connection?

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

Seems to me like the SSL certificate expired at your origin host/server and you might need to renew it:

SEC_E_CERT_EXPIRED (0x80090328) - The received certificate has expired.

That’s what I got when I run below command in your terminal/console - just change example.com with kiotssomarket.com and 123.123.123.123 with your origin hosts/server IP:

  • curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

You could determine this by:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / cPanel AutoSSL and renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Regarding Cloudflare 526 error, may I suggest you to try looking into below articles to troubleshoot the issue:

Furthermore, seems to me like your e-mail is not working properly too?:

;QUESTION
kiotssomarket.com. IN MX
;ANSWER
kiotssomarket.com. 300 IN MX 0 _dc-mx.a0aca4d67449.kiotssomarket.com.

Kindly, re-check the DNS tab and make sure the MX kiotssomarket.com has got the target and is pointed to a hostname which is set to :grey: (DNS-only).

The MX record should point to a hostname such as mail , and the A (or CNAME ) type record for that hostname should be set to :grey: (DNS Only).

Currently it has got the target (mail.kiotssomarket.com) which is :orange:.

May I suggest checking below article if your e-mail records (usually the A mail and the MX record) are configured properly while you are using Cloudflare for your domain name:

1 Like

Hello fritex. My original Host is Bluehost so I talked to them explaining what you told me (that the SSL certificate has expired and indeed it has) they told me that in order to renew the certificate I needed to point the DNS back to them so that they could install SSL. In order to do so I need to add a missing record in Cloudflare’s DNS manager (the record is Type A Name @ IP {redacted}) but when I try to add this record I get this error: Record already exists. (Code: 81057).

I’m posting an image of the error code and an image of all the Type A records that exist in my Cloudflare’s DNS manager so that there is no doubt about that.


Regarding the e-mail I think is working fine. I haven’t experienced any issue or haven’t noticed. However, in the last image post I made sure to include the DNS record for the e-mail so that you see that is set to DNS only but I get a red warning on the left side that indicates the following: “This record exposes the IP behind mail.kiotssomarket.com which you have proxied through Cloudflare”.

Thank you for feedback information.

Not needed.
Kindly, do as follows from below:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect
  4. Check with your hosting provider / cPanel AutoSSL and start the process to renew the SSL
  5. Then make sure site is working as expected with HTTPS without any error
  6. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Please, consider switching A mail from current :orange: to :grey: (DNS-only).

No need to worry about it. You can freely ignore this as your web and email DNS records are pointing to the same IP address.

A good article about This record exposed the IP behind can be read from below link.

Usually, no need to worry too much. When using an e-mail service, the A mail record needs to be :grey: cloud to make it work propperly as Cloudflare does not proxy traffic for e-mail. It is well described on the below articles.

Kindly, consider reading the second article from belove under the section “ Best practices for MX records on Cloudflare → Follow these guidelines to ensure successful delivery of your mail traffic: ”.

Therefrom:

Cloudflare’s default configuration only allows proxying of HTTP traffic and will break mail traffic.

The DNS record(s) used for e-mail service (usually the A mail record) should be :grey: cloud at DNS tab on Cloudflare dashboard for your domain and the MX record should point to a hostname that is set to that unproxied (usually the A mail ) with DNS only record, otherwise your e-mails will not work as it seems to be the case.

The A mail record should contain the value of an IP address of your hosting provider/email server.

  • the hostname (DNS record) used for e-mail send/receive should be :grey: cloud (usually it’s the A mail ), while the MX record should point to a hostname (usually the A mail ) that is set to :grey:

Thank you for your quick response into this matter.

I’ve been able to renew the SSL certificate by doing what you told me to do. I only have one last question about this. I’d like to know if there is a way to automatically renew this certificate instead of doing it manually every time it gets expired.

Regarding the email I understood that I needed to change the Proxy status of the A mail record for DNS only so I went ahead and did it. I post an image of that below:

Finally I didn’t understand you very well what I need to change in the MX record so I went ahead and talked to Bluehost mail support team and told me to do the the following changes:


(actually for the TTL told me to set to 14400 but I don’t see that option so I thought about changing to 1 day or leave it as Auto as it is)
However I haven’t updated that yet in order to wait for your response so I still have the record this way:

1 Like

Great! :+1:

That’s really a good question.
I hope if we disable Always Use HTTPS option at Cloudflare, would allow the cPanel AutoSSL to connect over HTTP and renew it. That way we wouldn’t have to do it manually each few months or so.
Nevertheless, we should also be able, if so, configure a HTTP to HTTPS redireciton at cPanel.

More about it here:

Otherwise, if we are using cPanel that may have problems with AutoSSL running while using Cloudflare, we could install Cloudflare’s Origin CA certificate in the cPanel.
But, if we do that then we lose the abillity to send e-mails.

  • as far as any installed SSL certificate would cover all the cPanel sub-domains and root domain “by most and default cPanel configuration”
  • Cloudflare Origin CA certificate cannot be used for e-mails, only for web traffic
  • therefore we cannot use both AutoSSL only for “mail” and Cloudflare origin for “www, non-www, some other”

I am afraid we might have to find a proper solution for it, yet :thinking:
Kind of we are “stuck in between” until something might finally work out :frowning:

Great! :+1:

It’s good now, correct, yes.

I hope too that you find a proper solution for it soon, it would be great.

Regarding the MX record, I tried to change the Name for @ but it’s not updating.
This is what I’m trying to do:

And this is what I get:

1 Like

:+1:

@ is a shortcut for the root (naked) domain name, in your case kiotssomarket.com.

You are good with the MX record :wink:

@ A free standing @ is used to denote the current origin.

Source RFC 1035, page 35:

Ok. So the issue with the SSL certificate has now been fixed and my e-mail DNS records are configured the proper way :slight_smile:

Thank you very much for your help fritex.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.