Error 526 Invalid SSL certificate but SSL is valid origin certificate

Hello, I added SSL certificate (Cloudflare Origin) to my domain and set Full (Strict) mode, but it keeps saying that SSL is invalid.
Here’s my nginx config:

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;

    # SSL
    ssl_certificate    /var/www/i0x/data/www/;
    ssl_certificate_key /var/www/i0x/data/www/;

    # security
    include             /var/www/i0x/data/www/;

    # reverse proxy
    location / {
        include    /var/www/i0x/data/www/;

    # additional config

Did you make sure the certificates were issued for the correct hostnames?

1 Like

Yes, do I need to add also Cloudflare root certificate to make cert chain?

In that case I’d pause Cloudflare (Overview screen, bottom right) and double check the certificate.

1 Like

Ok, but cURL is saying that certificate is self-signed, when I’ve just literally copied it from Origin Server tab.

* Added to DNS cache
* Hostname was found in DNS cache
*   Trying xxx:443...                                                                                                                       
* TCP_NODELAY set                                                                                                                                    
* Connected to (xxx) port 443 (#0)                                                                                            
* ALPN, offering h2                                                                                                                                  
* ALPN, offering http/1.1                                                                                                                            
* successfully set certificate verify locations:                                                                                                     
*   CAfile: /etc/ssl/certs/ca-certificates.crt                                                                                                       
  CApath: /etc/ssl/certs                                                                                                                             
} [5 bytes data]                                                                                                                                     
* TLSv1.3 (OUT), TLS handshake, Client hello (1):                                                                                                    
} [512 bytes data]                                                                                                                                   
* TLSv1.3 (IN), TLS handshake, Server hello (2):                                                                                                     
{ [122 bytes data]                                                                                                                                   
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):                                                                                             
{ [19 bytes data]                                                                                                                                    
* TLSv1.3 (IN), TLS handshake, Certificate (11):                                                                                                     
{ [830 bytes data]                                                                                                                                   
* TLSv1.3 (OUT), TLS alert, unknown CA (560):                                                                                                        
} [2 bytes data]                                                                                                                                     
* SSL certificate problem: self signed certificate                                                                                                   
* Closing connection 0                                                                                                                               

Maybe configuration isn’t getting loaded, because I’ve got redirected to index.html automatically.

Then you will have the wrong certificate configured.

Keep Cloudflare paused for now, fix the server issue, and once you get the Origin certificate, it will work on Cloudflare as well.

1 Like

You are proxying some app over 3000 to 443, right?
Does it support the SNI (despite Nginx)?

I wonder what else is stated in security.conf, proxy.conf and general.conf?

ca-certificates.crt → try to run apt-get update ca-certificates just in case

/etc/ssl/certs → download add here the Cloudflare Origin Root CA Certificate (keep in mind which version you used when creating Origin CA Certificate - ECC or RSA?, has to be the same):

I get SEC_ERROR_UNKNOWN_ISSUER error in my Web browser for parking hostname → which indicates all as @sandro already mentioned.

After I accept, I do see Cloudflare Origin Ca certificate → RSA. Download the “root” RSA (.pem file) from above link and upload to your /etc/ssl/certs, restart Nginx, select Full (Strict) SSL under the SSL/TLS tab of Cloudflare dashboard and make sure your hostname (DNS records) are proxied and set to :orange:, if so.

After I accept even this, I get 403 forbidden coming from the server (due to some Nginx configuration of the location block):

security.conf, proxy.conf and general.conf are files generated by DigitalOcean nginx configuration generator

I think that config isnt getting loaded because it keeps me redirecting to index.html

I am afraid that’s rather a topic for StackExchange or Reddit at this point, because it’s a server configuration issue and not Cloudflare related.

The redirect shouldn’t have anything to do with the SSL setup, however.


Now Firefox says that SSL is from Cloudflare.


And here we go :slight_smile:

Thank you all for help!
Again, when I enabled Cloudflare again, and started my next.js application, it again shows

But I know that this isn’t Cloudflare problem, so thank you all anyways.

The previous certificate is back.

I really have no clue how to fix it, when I enabled Cloudflare back and started next.js app error showed up again

Also there’s no parking certificate in the panel

Something will have reset the configuration. I would mentioned forums a try.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.