Error 526 Origin SSL Invalid Certificate but the certificate is valid

Website, Application, Performance Security
1

Since last Friday 2023-08-11, a website of mine broke down with an “526 Origin SSL Invalid Certificate” error. De Cloudflare domain points to an AWS CloudFront website. I’ve read the documentation of Cloudflare about 526 errors, and I ran the Self-Help Wizard Tool for 526 errors. The AWS certificate is valid and is not revoked. It was created 2023-06-11 and is valid through 2024-07-10. To get the website working again I’ve changed SSL encryption mode from “Full (Strict)” to “Full” for now, at least that works.

The AWS CloudFront website is https://main.dpqyjtx0c7el2.amplifyapp.com/

I really have no clue why Cloudflare is suddenly giving a 526 error in strict mode. Any ideas?

2

What’s the hostname on Cloudflare that you receive the HTTP 526 from? Most likely cause is one of:

  • Certificate presented by the origin is not valid for that hostname
  • The certificate chain is not correctly presented
  • The certificate is expired

To validate this, try the following:

curl https://sub.example.com --connect-to ::main.dpqyjtx0c7el2.amplifyapp.com -vo /dev/null

Replease sub.example.com with your hostname on Cloudflare. The --connect-to ::main.dpqyjtx0c7el2.amplifyapp.com part of the cURL command is going to send that TLS connection and HTTP request direct to your origin and cURL will error if the cert is invalid.

You can also check with openssl via:

openssl s_client -connect main.dpqyjtx0c7el2.amplifyapp.com:443 -servername sub.example.com
3

Thanks for your reply Simon, this helps a lot!

The validation with curl indeed fails, it says “certificate has expired”. Do you know how I can see this certificate itself? So far I inspected the certificates via the browser and those are not expired, so it looks like I am looking at the wrong certificate.

Your “The certificate chain is not correctly presented” tiggered me, maybe I’m indeed looking at the wrong certificate. My chain is: Cloudflare > AWS CloudFront > AWS Amplify, and there is routing involved in the AWS CloudFront part that I’m not familiar with. FYI: the chain is jsoneditoronline.org > dq2cjwceiq08l.cloudfront.net > main.dpqyjtx0c7el2.amplifyapp.com. Now, this setup has worked for about a year, and I didn’t do any config changes for a long time. So, an expired certificate causing the sudden 526 last Friday makes more sense to me.

4

OpenSSL can explain a bit more:

➜  ~ openssl s_client -connect main.dpqyjtx0c7el2.amplifyapp.com:443 -servername jsoneditoronline.org
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = *.jsoneditoronline.org
verify error:num=10:certificate has expired
notAfter=Aug 10 23:59:59 2023 GMT
verify return:1
depth=0 CN = *.jsoneditoronline.org
notAfter=Aug 10 23:59:59 2023 GMT
verify return:1
---
Certificate chain
 0 s:CN = *.jsoneditoronline.org
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 00:00:00 2023 GMT; NotAfter: Aug 10 23:59:59 2023 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF7jCCBNagAwIBAgIQBVlAj6/sxicVvjDYYxuKfDANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDIyMDAwMDAwMFoXDTIzMDgxMDIzNTk1OVowITEf
MB0GA1UEAwwWKi5qc29uZWRpdG9yb25saW5lLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALpg0lSHuXOCngIwFYUb/bDKASLAnleKLuqO6B2u7uqk
/ELDKOIY/yicn0+XnPIbRyglFti7rwwCG5OFNhm/vKLPRanD1l7EwdFVXgXiqswU
Kn4TAjGsxzKizeLt2Gem1Nj9BelZE3+wDovXP08csxZraAUGZRsfaQx2beHu8siW
yrY6/5yXpoirZx9QBDtt9EEl3f0rVEiZjJ9eHSL8WYZ/GkVAE19SKzxMaHi3oBcw
PAwdfZoG/7jPB5NFuSBFxL8lvSAbG41Cm++8YlcAzrFIIacPRY9Szyt4OAjZJ6pO
IXfV5QrddZb9VYhktxlDDOP6/FfMHwpSlYrX1Vhk8IcCAwEAAaOCAwUwggMBMB8G
A1UdIwQYMBaAFMAxUs1aUMOCfHRxzsvpnPl664LiMB0GA1UdDgQWBBSHqtBCAXfi
EcwwEsgf7L0dSB6GrTA3BgNVHREEMDAughYqLmpzb25lZGl0b3JvbmxpbmUub3Jn
ghRqc29uZWRpdG9yb25saW5lLm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9j
cmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNybDATBgNVHSAEDDAKMAgG
BmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3Nw
LnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5y
Mm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwGA1UdEwEB/wQCMAAwggF+
BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3AOg+0No+9QY1MudXKLyJa8kD08vREWvs
62nhd31tBr1uAAABhnA/m7wAAAQDAEgwRgIhAOHy2CX+8HkjAbPJTYluB0fyHD3t
TMTieJ0yNo8VB4u5AiEA3AmCwhspDEAi+IshUtUsRIPEYdgWhGJjs7THdzEO8OEA
dgCzc3cH4YRQ+GOG1gWp3BEJSnktsWcMC4fc8AMOeTalmgAAAYZwP5wUAAAEAwBH
MEUCIQCve/AT3OPfYXIJ+89DZiuLK7Kzq79vbwY/F/ziBbxMoQIgTgD8P4ITJ2QJ
AJrMkF4KFfxyXUXIMW+q12vRus7Ga0AAdQC3Pvsk35xNunXyOcW6WPRsXfxCz3qf
NcSeHQmBJe20mQAAAYZwP5vEAAAEAwBGMEQCID9bHEuVmcmIcVwZXxOhgpuXBAW3
akJDe3e9z/Q1lzt2AiBLsaescmgpEHkD/WlWIr/bqLBtD3a6JXjeXct937/IyDAN
BgkqhkiG9w0BAQsFAAOCAQEAun1YMYdufn97vLb9kovQNoo68zyoNFY48HxYYQ38
UQCpjR3bdQso3j5ZBFepqp30NKA4poDiI4ksVBoSoB0AgebAknF4jM6OKBoFqYKv
Sa/AeCVAJScJd9TqYtWscoO8G5VFQo/Ahns/k/v2wWxVPTz0EKUnSo2+7+CHYAJu
R3MMJpRwAkBvxqQkaWZ8gEt56VB/lzk/va7YCsht+L6P6RTS+P3Pf6wB6Q+1HlHm
ZUKtz2uuTBUpkm+KlBITJH1luHj03toWButHM1UP7StAq5LMqQSFF8oqgdNbZF6U
mb2nyWYFDuMYO2rTXCQ5Jj6zrBwNxVCx/eGAJlA/GywQdg==
-----END CERTIFICATE-----
subject=CN = *.jsoneditoronline.org
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5522 bytes and written 386 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: C2E4ED65B0B4516839D34B19F94AF136E0578B21E1A7B1312813669028DF25D4
    Session-ID-ctx:
    Resumption PSK: 9250F7C8F344DC1FD5A6539B2923ECCD4F2E4F7D6139411678E3BE1AB71BC3B5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 31 36 39 32 33 34 35 31-33 31 30 30 30 00 00 00   1692345131000...
    0010 - 36 21 a1 4e a5 01 eb eb-d5 dc aa 63 6f 03 10 a2   6!.N.......co...
    0020 - 26 81 72 00 ef 14 6c cf-e0 e9 2d 3c e0 ba c2 d0   &.r...l...-<....
    0030 - 57 ee 8e 83 cb d2 6a ef-54 23 a5 08 4e ad 32 26   W.....j.T#..N.2&
    0040 - 57 83 59 74 e8 97 2b 12-e5 ae e7 6b 0a 1e 03 27   W.Yt..+....k...'
    0050 - 6c 10 a7 f4 6a 6d 3f fb-6a 9c 77 66 d7 d4 b3 c7   l...jm?.j.wf....
    0060 - f5 bf e0 b3 4d 83 fc 72-2a                        ....M..r*

    Start Time: 1692348150
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed
➜  ~ openssl s_client -connect main.dpqyjtx0c7el2.amplifyapp.com:443 -servername jsoneditoronline.org | openssl x509 -noout -text
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = *.jsoneditoronline.org
verify error:num=10:certificate has expired
notAfter=Aug 10 23:59:59 2023 GMT
verify return:1
depth=0 CN = *.jsoneditoronline.org
notAfter=Aug 10 23:59:59 2023 GMT
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:59:40:8f:af:ec:c6:27:15:be:30:d8:63:1b:8a:7c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M02
        Validity
            Not Before: Feb 20 00:00:00 2023 GMT
            Not After : Aug 10 23:59:59 2023 GMT
        Subject: CN = *.jsoneditoronline.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:60:d2:54:87:b9:73:82:9e:02:30:15:85:1b:
                    fd:b0:ca:01:22:c0:9e:57:8a:2e:ea:8e:e8:1d:ae:
                    ee:ea:a4:fc:42:c3:28:e2:18:ff:28:9c:9f:4f:97:
                    9c:f2:1b:47:28:25:16:d8:bb:af:0c:02:1b:93:85:
                    36:19:bf:bc:a2:cf:45:a9:c3:d6:5e:c4:c1:d1:55:
                    5e:05:e2:aa:cc:14:2a:7e:13:02:31:ac:c7:32:a2:
                    cd:e2:ed:d8:67:a6:d4:d8:fd:05:e9:59:13:7f:b0:
                    0e:8b:d7:3f:4f:1c:b3:16:6b:68:05:06:65:1b:1f:
                    69:0c:76:6d:e1:ee:f2:c8:96:ca:b6:3a:ff:9c:97:
                    a6:88:ab:67:1f:50:04:3b:6d:f4:41:25:dd:fd:2b:
                    54:48:99:8c:9f:5e:1d:22:fc:59:86:7f:1a:45:40:
                    13:5f:52:2b:3c:4c:68:78:b7:a0:17:30:3c:0c:1d:
                    7d:9a:06:ff:b8:cf:07:93:45:b9:20:45:c4:bf:25:
                    bd:20:1b:1b:8d:42:9b:ef:bc:62:57:00:ce:b1:48:
                    21:a7:0f:45:8f:52:cf:2b:78:38:08:d9:27:aa:4e:
                    21:77:d5:e5:0a:dd:75:96:fd:55:88:64:b7:19:43:
                    0c:e3:fa:fc:57:cc:1f:0a:52:95:8a:d7:d5:58:64:
                    f0:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                C0:31:52:CD:5A:50:C3:82:7C:74:71:CE:CB:E9:9C:F9:7A:EB:82:E2
            X509v3 Subject Key Identifier:
                87:AA:D0:42:01:77:E2:11:CC:30:12:C8:1F:EC:BD:1D:48:1E:86:AD
            X509v3 Subject Alternative Name:
                DNS:*.jsoneditoronline.org, DNS:jsoneditoronline.org
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crl.r2m02.amazontrust.com/r2m02.crl
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            Authority Information Access:
                OCSP - URI:http://ocsp.r2m02.amazontrust.com
                CA Issuers - URI:http://crt.r2m02.amazontrust.com/r2m02.cer
            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                    Timestamp : Feb 20 19:14:22.268 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E1:F2:D8:25:FE:F0:79:23:01:B3:C9:
                                4D:89:6E:07:47:F2:1C:3D:ED:4C:C4:E2:78:9D:32:36:
                                8F:15:07:8B:B9:02:21:00:DC:09:82:C2:1B:29:0C:40:
                                22:F8:8B:21:52:D5:2C:44:83:C4:61:D8:16:84:62:63:
                                B3:B4:C7:77:31:0E:F0:E1
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
                                4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
                    Timestamp : Feb 20 19:14:22.356 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:AF:7B:F0:13:DC:E3:DF:61:72:09:FB:
                                CF:43:66:2B:8B:2B:B2:B3:AB:BF:6F:6F:06:3F:17:FC:
                                E2:05:BC:4C:A1:02:20:4E:00:FC:3F:82:13:27:64:09:
                                00:9A:CC:90:5E:0A:15:FC:72:5D:45:C8:31:6F:AA:D7:
                                6B:D1:BA:CE:C6:6B:40
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Feb 20 19:14:22.276 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3F:5B:1C:4B:95:99:C9:88:71:5C:19:5F:
                                13:A1:82:9B:97:04:05:B7:6A:42:43:7B:77:BD:CF:F4:
                                35:97:3B:76:02:20:4B:B1:A7:AC:72:68:29:10:79:03:
                                FD:69:56:22:BF:DB:A8:B0:6D:0F:76:BA:25:78:DE:5D:
                                CB:7D:DF:BF:C8:C8
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        ba:7d:58:31:87:6e:7e:7f:7b:bc:b6:fd:92:8b:d0:36:8a:3a:
        f3:3c:a8:34:56:38:f0:7c:58:61:0d:fc:51:00:a9:8d:1d:db:
        75:0b:28:de:3e:59:04:57:a9:aa:9d:f4:34:a0:38:a6:80:e2:
        23:89:2c:54:1a:12:a0:1d:00:81:e6:c0:92:71:78:8c:ce:8e:
        28:1a:05:a9:82:af:49:af:c0:78:25:40:25:27:09:77:d4:ea:
        62:d5:ac:72:83:bc:1b:95:45:42:8f:c0:86:7b:3f:93:fb:f6:
        c1:6c:55:3d:3c:f4:10:a5:27:4a:8d:be:ef:e0:87:60:02:6e:
        47:73:0c:26:94:70:02:40:6f:c6:a4:24:69:66:7c:80:4b:79:
        e9:50:7f:97:39:3f:bd:ae:d8:0a:c8:6d:f8:be:8f:e9:14:d2:
        f8:fd:cf:7f:ac:01:e9:0f:b5:1e:51:e6:65:42:ad:cf:6b:ae:
        4c:15:29:92:6f:8a:94:12:13:24:7d:65:b8:78:f4:de:da:16:
        06:eb:47:33:55:0f:ed:2b:40:ab:92:cc:a9:04:85:17:ca:2a:
        81:d3:5b:64:5e:94:99:bd:a7:c9:66:05:0e:e3:18:3b:6a:d3:
        5c:24:39:26:3e:b3:ac:1c:0d:c5:50:b1:fd:e1:80:26:50:3f:
        1b:2c:10:76

So the cert installed on dq2cjwceiq08l.cloudfront.net / main.dpqyjtx0c7el2.amplifyapp.com is valid for the domain but expired August 11th: notAfter=Aug 10 23:59:59 2023 GMT.

You’ll need to update that certificate - note if amazon allow you to upload your own certificate and you have everything fully behind Cloudflare, you can get a free origin certificate from us:

But you can also check documentation for CloudFront and see what options there are for their own certificates or a free certificate from LetsEncrypt, for example.

Any of these options would allow you to upgrade your SSL setting back to Full Strict and avoid the HTTP 526 error.

5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.