Error 526 when seemingly valid certificate

Answer these questions to help the Community help you with Security questions.

What is the domain name?
audio.love

Describe the issue you are having:
I’m running in kubernetes with cert-manager and automated origin ca.
When trying to connect to the website I get error 526. In online SSL checker it shows no problem and in kubernetes it says that certificate is not expired and up to date.

What error message or number are you receiving?
526

Please attach a screenshot of the error:

What happens if you disable Cloudflare for the domain, make the DNS record :grey: and wait for DNS cache to expire? Does it show a valid SSL certificate?

It still returns 526. When i change to flexible there is error 522. I can connect normally by ip address and port 443

Check your origin SSL configuration, getting odd errors when connecting direct to it:

curl -Ivv https://20.191.53.246 -H "Host: audio.love"
*   Trying 20.191.53.246:443...
* Connected to 20.191.53.246 (20.191.53.246) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (5454) (IN), , Unknown (72):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number

I have no idea what to do about this. when using openssl command i get this:

openssl s_client -connect audio.love:443 -tls1_2
CONNECTED(000001AC)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
verify return:1
depth=0 CN = audio.love
verify return:1

Certificate chain
0 s:CN = audio.love
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Server certificate
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
subject=CN = audio.love

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1P5


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 4850 bytes and written 298 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: BF252FCAB9C796AD670ED4CEBF62F38F13C6F79FE8BACB2A20195DE283510D9B
Session-ID-ctx:
Master-Key: 6FDAE0F1C2E00475A653B54C792A5A393BB9DA31CF9B653A862AC38F7B297748B4A45FEAE16150671C558FFCC6A18BAC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 51 2d 23 c5 95 11 ed 7e-38 d8 48 dd 2e ae 93 43 Q-#…~8.H…C
0010 - c6 e3 94 1a 79 38 9e 31-d9 54 aa 2c d4 02 33 d6 …y8.1.T.,…3.
0020 - 87 33 3d 2a 42 0e 12 a4-44 1b c8 2e 09 b0 a9 80 .3=*B…D…
0030 - f9 d1 a2 7c 3a c0 1b 1c-61 ff a1 8b 44 fa 05 23 …|:…a…D…#
0040 - c2 da ae dd 33 4f 24 55-89 dd a6 04 d2 55 1c 26 …3O$U…U.&
0050 - ea 4c 01 4d af 14 4a 02-58 be 4e 02 63 d3 a0 e9 .L.M…J.X.N.c…
0060 - c1 4b 55 1a 2d 64 37 32-28 23 0c 5b 67 7a 8d bc .KU.-d72(#.[gz…
0070 - c4 7a 8f c1 90 13 af d5-8f fe 24 78 f5 61 89 81 .z…$x.a…
0080 - b4 cc 99 5f 2c c1 9a c1-3e 17 06 d5 b9 54 d3 b0 …_,…>…T…
0090 - e8 80 9f 25 e6 ee a3 7b-88 dc e3 ff 0b 11 5c 8b …%…{….
00a0 - b6 a4 40 84 fd b6 9d 9d-81 bd 6c 66 f7 69 35 b5 …@…lf.i5.
00b0 - 9a f7 79 99 7a 77 86 fe-db a1 f4 cc 4c 6b fd 99 …y.zw…Lk…

Start Time: 1700866222
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes

Sure that’s the correct address?

You are connecting to the proxies and they do have a valid SSL setup.

Best to follow @Cyb3r-Jak3’s advice and either unproxy or pause Cloudflare altogether.

That’s never a good idea. Always use Full Strict.

At the time I tested, www.audio.love was unproxied and gave that IP.

Fair enough then of course :slight_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.