Error 526 TLS Full (strict) even with Origin CA certificate

I’ve already read the community tip and other issues like this and this.

I have a simple setup, with NGINX serving the certificate generated in the “Origin Server” tab, that expires in 2036, but I sill have some error 526 reports.:

Also I checked that it is serving the correct certificate with the command:

echo | openssl s_client -connect ORIGIN_SERVER_IP:443 -servername SITE_DOMAIN_NAME -tls1_2 2> /dev/null | sed -n '/Certificate chain/,/---/p'

And I get:

Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---

Just to be sure, since I could not find this information, does CloudFlare also checks the certificate returned WITHOUT a servername?
Because if that would be the case, my NGINX config does have a self-signed certificate for the “default server”, but the server block for the domain name show in Error Analytics serves the CloudFlare Origin CA certificate.

1 Like

NGINX default config file, to show where is the self-signed certificate being served:

# redirect HTTP requests by default
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

# close HTTPS connections for unknown server names
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    # use a self-signed certificate, since it is mandatory for 'listen...ssl':
    ssl_certificate ssl/pub.pem;
    ssl_certificate_key ssl/priv.pem;

    # all server blocks must have the same session tickets configuration:
    # https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124/4
    ssl_session_tickets off;

    return 444;
}

# setup the HTTPS configuration for a server name
server {
    server_name SITE_DOMAIN_NAME;
    root SITE_ROOT_PATH;

    # public and private certificate location
    ssl_certificate ssl/cloudflare/SITE_ORIGIN_CERT; # CloudFlare Origin Certificate
    ssl_certificate_key ssl/cloudflare/SITE_ORIGIN_KEY; # CloudFlare Origin Certificate

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate ssl/cloudflare/SITE_ORIGIN_CERT; # CloudFlare Origin Certificate

    # include the common HTTPS Laravel configuration
    include default.d/laravel.conf;
}

Just found out the problem.
The server_name on NGINX was missing the www subdomain, that in the DNS has a CNAME record to the same server.
So in this case, the self-signed certificate was served, and thus the 526 error only in some cases.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.