Error 526 SSL Invalid changing the encryption mode from Flexible to Full (Strict)

Hello,

We have errors when changing the encryption mode from Flexible to Full (Strict), I have made the test of generating the Certificate of Origin from cloudflare and installing it in the domain configured in Cpanel and we get error 526 SSL Invalid.

Before you switched from the “Flexible SSL” to “Full SSL (Strict)” option at Cloudflare dashboard, have you had an SSL certificate at your end origin/host for your domain or?

O-oh, sorry, you say you generated Cloudflare CA origin and installed it at the cPanel of your hosting provider.

Keep in mind that cPanel also has an AutoSSL option with which you can generate a valid certificate for your (sub)domain(s) as well.

Does the result or anything changes if you select “Full SSL” instad of “Full SSL (Strict)”?

Moreover, are all the needed records :orange:? They sould be :orange: to be Proxied by Cloudflare for Cloudflare origin CA certificate to work.

Also, when generating certificate, have you entered hostname as well as the others needed?

What is your domain name?

Kindly, check more information here:

Yes, when changing to Full SSL or Full (Strict) I get an error 526 Invalid SSL.

Another way is I configured AutoSSL but there is no way to upload that certificate to Cloudflare Origin Server or is it possible?

Well, there are a few workarounds.

If you can generate SSL certificate at cPanel using AutoSSL, before you could do it, all the records should be :grey: at the Cloudflare dashboard to succesfull generate it.
Upon successfull generation, you should then turn all of them back to :orange: and enable “Full SSL” option in the Cloudflare SSL dashboard.

  • keep in mind, this SSL certificate could expire in about 3 months or so? And you would need to do the same process again (if not using a TXT record to verify the AutoSSL to be able to re-generate/renew an existing certificate at the cPanel)

Moreover, if you want to use Cloudflare CA origin certificate, you can - as you hopefully already did - generate it through the Cloudflare dashboard and then upload/install it on your host/origin (in cPanel).
Then make all the needed records :orange: at Cloudflare DNS dashboard and again, enable the “Full SSL” option in the Cloudflare SSL dashboard.

Therefore, there is another way using a Dedicated SSL certificate:

In a case where you would want to upload your SSL certificate to the Cloudflare dashboard, you will need to upgrade your Plan to Business so that you can upload a Custom Certificate.

In short, Cloudflare error 526 occurs when Cloudflare is unable to validate the server’s SSL/TLS certificate.

  1. The certificate is not expired
  2. The certificate is not revoked
  3. The certificate is signed by a Certificate Authority such as GlobalSign, Verisign, GeoTrust, Comodo, etc, and is not a self-signed SSL certificate.
  4. The requested domain name and hostname are in the certificate’s Common Name or Subject Alternative Name.
  5. Origin web server accepts connections over port SSL port 443
  6. Temporarily pause Cloudflare and cross-check the certificate with any SSL verification sites like https://www.sslshopper.com to verify that no issues exist with the origin SSL certificate.

It is important to have the requested domain name and hostname in the certificate’s Common Name or Subject Alternative Name.

The 526 error should disappear after the installation of a valid certificate on the origin server and the server it accept secure (HTTPS) connections.

If you set Cloudflare to Full SSL (Strict) mode then Cloudflare will not allow unsecured data exchanges between their servers and your origin server. This will result in a 526 error unless your origin server is accepting secure connections with a valid SSL/TLS certificate issued by a recognized certificate authority.

So you need to make sure your origin server is configured to accept secure (HTTPS) connections and that it has a valid SSL/TLS certificate installed.

If you have an SSL/TLS certificate installed on your origin server but the certificate can’t be validated (e.g. because it is self-signed), you can downgrade to Full SSL (non-strict) mode and the 526 error should disappear.

The alternative is to downgrade Cloudflare to Flexible mode, but this is not advisable as it will result in unsecured data exchanges between Cloudflare and your origin server which puts your users’ data at risk.

As Cpanel has both HTTP and HTTPS, maybe it could also be related to your settings in htaccess and if so due to redirection rules?

  • because of “Strict” Cloudflare would go and request connections only to 443 (HTTPS), but maybe because cPanel has “it’s own way” it redirects to HTTP … I am not sure if that is also some kind of possible issue.

Are you sure you have correctly imported/upload and installed the generated Cloudflare CA origin certificate to your cPanel?

If you have Command Line access somewhere, give this command a try to see which certificate your domain is using:
curl -svo /dev/null https://www.example.com --connect-to ::123.123.123.123 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

But replace the hostname, then all the 123s with your server’s IP address.

1 Like

Yes, I have generated the certificate in cloudflare and then I upload it to the host from Cpanel and it throws me error 526 SSL Invalid.

I already validated and my domain is using the valid SSL certificate by Sectigo.

Then it doesn’t seem like Cloudflare is connecting to the same endpoint of your test. If you :grey: that DNS entry, then wait five minutes, does the site work over HTTPS?