Error 526 when SSL/TLS encryption mode is Full (strict)

Yesterday (2020-08-24) I’ve figured out that my website (insoftex . com) does not work. A browser shows a typical error 526: Invalid SSL certificate. (NB: all URLs here and bellow I type with spaces as Cloudflare forum does not allow me as a new user to add more than 2 links)

I haven’t touched Cloudflare settings for several months.
Before I had configured A record for (mail . insoftex . com) to bypass Cloudflare proxy. So, I can access SMTP and POP3 servers on Bluehost (my hosting provider) directly.

Bluehost support confirmed that there were no changes on their side.

I’ve searched on Cloudflare community forum and found posts about similar issues. Also, I’ve read this post: https://community . cloudflare . com/t/community-tip-fixing-error-526-invalid-ssl-certificates/44273

I’ve changed SSL/TLS encryption on Cloudflare from “Full (strict)” to “Full” and the website started working (although, some images are not loaded in Safari whereas no issues in Chrome and Firefox).

Then I’ve checked my original SSL certificate:
curl -svo /dev/null --resolve $DOMAIN:443:$IPADDRESS https://$DOMAIN/

And I’ve figured out a message:

  • Server certificate:
  • subject: CN=mail . insoftex . com
  • start date: Aug 23 20:07:06 2020 GMT
  • expire date: Nov 21 20:07:06 2020 GMT
  • subjectAltName does not match insoftex . com
  • SSL: no alternative certificate subject name matches target host name ‘insoftex . com’

It seems that my original IP address is associated with subdomain mail . insoftex . com but not the root domain insoftex . com.

Please advise how to properly configure Cloudflare settings for my domain and fix the issue.

Me too I have an error 526 but for a different cause, and I am still waiting for help from the community.
I think I understood your problem:

You may have a certificate that only encrypts your e-mails (mail.insoftex.com). If you switch to full (strict) Cloudflare mode must find your domain name (insoftex.com) in your certificate.
You can check this in your Cpanel by clicking on SSL/TLS icon and Manage SSL Sites.
You can verify in the Domaines section if your domain is listed (See in the screenshot below):

If your domain is not listed: Click on the link below to see --in part 2-- how to configure an Origin CA certificate.

Something was wrong on Bluehost side - for some reason they automatically created a new SSL certificate for a subdomain. And Cloudflare did not accept it for the root domain - insoftex.com.

As a workaround, I switched back to my old SSL certificate in cPanel (which was still valid for the next two days).

When I explained to Bluehost support everything in detail (ti took me hours), they generated a new SSL certificate for the root domain. It fixed the issue.

Hi @mfliorko,

Thats great to hear that the issue is now resolved for you!

Error 526 occurs when these two conditions are true:

  1. Cloudflare cannot validate the SSL certificate at your origin web server, and
  2. Full SSL (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.

There is a helpful guide here:

Glad the issue is resolved for you!

1 Like