Full (strict) SSL encryption mode gives error 526 with valid origin certificate

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Please share your search results url:
/search?q=526%20strict%20origin (and others)

When you tested your domain using the Cloudflare Diagnostic Center, what were the results?
w/ Cloudflare paused: all good
w/ Cloudflare active, SSL full: all good
w/ Cloudflare active, SSL strict: all good

Describe the issue you are having:
Starting this morning, Full (strict) SSL encryption has been resulting in error 526. Prior to this morning, it was working properly.

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Full (non-strict) works
  2. Tried issuing/installing new Cloudflare origin certificate to origin server, no change
  3. Tried issuing/installing Let’s Encrypt origin certificate to origin server, no change
  4. Paused Cloudflare, SSL is valid and works properly:
curl -svo /dev/null --resolve kylelucy.com:443: https://kylelucy.com
* Expire in 0 ms for 6 (transfer 0x564acc1f00f0)
* Added kylelucy.com:443: to DNS cache
* Hostname kylelucy.com was found in DNS cache
*   Trying
* Expire in 200 ms for 4 (transfer 0x564acc1f00f0)
* Connected to kylelucy.com ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4164 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.kylelucy.com
*  start date: Sep 13 17:54:29 2022 GMT
*  expire date: Dec 12 17:54:28 2022 GMT
*  subjectAltName: host "kylelucy.com" matched cert's "kylelucy.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x564acc1f00f0)
} [5 bytes data]
> GET / HTTP/2
> Host: kylelucy.com
> User-Agent: curl/7.64.0
> Accept: */*
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< content-type: text/html
< last-modified: Tue, 05 Jan 2021 15:32:50 GMT
< accept-ranges: bytes
< content-length: 2968
< date: Tue, 13 Sep 2022 21:03:04 GMT
< server: LiteSpeed
< x-xss-protection: 1; mode=block
< x-frame-options: DENY
< x-content-type-options: nosniff
< referrer-policy: strict-origin-when-cross-origin
< content-security-policy: default-src 'none';         form-action 'self';         frame-ancestors 'none';         font-src 'self';         img-src 'self' www.googletagmanager.com www.google-analytics.com www.gstatic.com;         script-src 'self' www.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net 'sha256-bb5I1BZ+5S4L62uNYqsHDMwKJ0BZbXe8IF7hUD9X+Ag=';         style-src 'self';         connect-src 'self' www.google-analytics.com;         frame-src 'none';         base-uri 'none';              manifest-src 'self';         report-uri /csp-report.php
< strict-transport-security: max-age=31536000; preload
< edit: Set-Cookie (.*) "$1; HTTPOnly; Secure"
< alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
{ [2968 bytes data]
* Connection #0 to host kylelucy.com left intact

Was the site working with SSL prior to adding it to Cloudflare?
I’ve had this site on Cloudflare for years with this configuration, it worked prior to this morning. I haven’t changed or touched anything with the site prior to the errors this morning that persist to now.

What are the steps to reproduce the error:

  1. Valid SSL at origin server
  2. Full (strict) encryption mode
  3. Error 526

Have you tried from another browser and/or incognito mode?
Yes, errors are consistent

Please attach a screenshot of the error:

With SSL Checker and Cloudflare paused:

works fine for me, can you try incognito mode?

1 Like

It’s working fine right now because I left it in full mode so it works. I would like to re-enable strict when I find out what the problem is.

kmlucy, I’m having the exact same issue. What I don’t understand is if nothing has changed and the certificate is issued by Cloudflare are they saying they don’t trust themselves? Can’t wait for the response

I might be facing the same issue too, first began for myself on Sep 9, did not modify any origin certificates on the origin.

I have set mine back to Full, and enabled SSL/TLS Recommender.

Have not received the email for the recommender, strangely enough.

What a shock…I didn’t do anything and now it is fixed. Maybe Cloudflare could own up and say they stuffed up??? HAHAHA.What about you kmlucy and user18298?

It’s fixed now for me as well, also without doing anything. It does appear that Cloudflare broke and then fixed something.

Confirmed issue resolved on its own without my intervention on origin.

But SSL Recommender did not send an email recommending Full (Strict) yet, even after turning it off and on.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.