Error 526: Invalid SSL certificate using Cloudflare CA SSL

Hello there,

I am trying to setup Cloudflare’s CA SSL certificate for my 2 origin servers, but something is not working correctly.

My website is working and the certificate is valid, but it is giving me the error 526 on my subdomain.


the regular www is working with the CA certificate but the webmail part keeps rejecting with Invalid SSL.
How am i possible going to make this work correctly?

Your webmail DNS entry is set to :grey: (DNS Only). It needs to be :orange: Proxied by Cloudflare for that certificate to work.


It still does not work, proxy’ed or not, i tried to disable the proxy to see if it where working without it, but it didnt. Now where it is enabled again it continues to lead to an “Invalid SSL Certificate”, how can i fix this?

I should have looked at the cert before you proxied it. Did you create the Origin Cert with the webmail hostname as well as the others?

Yes, i did that and installed it on both webserver and email server… I for real wonder why it’s not working. — My Origin cert overview

Can you unproxy that Webmail one again? I want to see which cert it’s using.

I just updated it as a non-proxy’ed

It’s not using the CF Origin Cert.

Hmm, how could i fix that? This is my NGINX config, and its added there

Hi there,

If you’re trying to set up the Origin CA certificate, you’d need to set the ssl_certificate and ssl_certificate_key to the ones provided by Cloudflare’s Origin CA, instead of the ssl_client_certificate / ssl_verify_client, as far as I know.

Let me know if this works,


Hey Tom,

The ssl_client_certificate is for the cloudflare auth pull thing, i where following the guide from Cloudflare who stated that i needed this in order to get it to work,

SSL_certificate = My origin certificate
SSL_certificate_key = Origin Privat Key
ssl_client_certificate = Cloudflare Authenticated Origin Pull Certificate

How do you suggest me to change this?

I just tested it out on my own server and your settings would work as expected.

Could you double check for me, that:

  • ssl_certificate and ssl_certificate_key are valid for the domain you’re trying to access to (e.g. This can either be from Cloudflare Origin CA or one of the commonly trusted CAs
  • ssl_client_certificate is the origin pull CA
  • Authenticated Origin Pulls are enabled in your zone’s dashboard (SSL/TLS -> Origin Server -> Authenticated Origin Pulls)
  • You set your SSL to Full SSL or stricter.

I do really wonder why my part are not working then…
This is my Origin Certificate, both privat & cert are from cloudflare and set on the files in my config (image above)
I changed the ssl_client_certificate to the one you just sent, but no changes on the site…

Could you please open a support ticket with the information provided then? We’ll look into it.

1 Like

It might be nice to first verify that the Origin Cert is present for ‘webmail’. Last I checked, it was not. Un-proxying until the Cloudflare origin cert shows up might be the best approach.


Hmm, how do i actually verify it? Im completly green for this nginx & ssl thing.

One moment, im trying to find the correct part to select :smiley:

Alright. :slight_smile:

Also, make sure to remove your image if you don’t want your IPs to be public.

1 Like

Sent the ticket, ticket number is 2001255. Thanks for taking time to help me!


:white_check_mark: SOLUTION :white_check_mark:

iRedMail & the componens for Postfix etc had a custom SSL certificate which was causing the issue. After reinstalling my server to a fresh install, i found the missing ssl config and made the changes. I where not aware that it had it’s own SSL folders atall. My mailserver (subdomain) are now running Full (Strict) supported through Cloudflare CA!