I have a simple setup, with NGINX serving the certificate generated in the “Origin Server” tab, that expires in 2036, but I sill have some error 526 reports.:
Also I checked that it is serving the correct certificate with the command:
echo | openssl s_client -connect ORIGIN_SERVER_IP:443 -servername SITE_DOMAIN_NAME -tls1_2 2> /dev/null | sed -n '/Certificate chain/,/---/p'
And I get:
Certificate chain 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California ---
Just to be sure, since I could not find this information, does CloudFlare also checks the certificate returned WITHOUT a servername?
Because if that would be the case, my NGINX config does have a self-signed certificate for the “default server”, but the server block for the domain name show in Error Analytics serves the CloudFlare Origin CA certificate.