How to fix "Error 526 - Invalid SSL certificate" forever?

Hi everyone,

Every 3 months, I’m having an “Error 526 - Invalid SSL certificate”.

I know how to fix it for a one-time occurence, but what I want to know is: how can I have it NOT happen anymore?

I am managing websites for several clients and like to use Cloudflare for their website, for security and performance reasons. However, every time this issue appears and their website remains down, they’re losing potential revenue and traffic until I can intervene. Plus, the more websites I manage, the more time I have to spend fixing this every time.

I noticed that it happens to all the websites at once for a specific hosting company. For example, right now my personal websites and clients websites hosted on OVH all just got affected again at the same time.

So I assume it’s due the renewal of the SSL certificate (which matches with the 3-months period between each occurence). I imagine it renews for every OVH’s (or other hosting company’s) website at the same time.

So, do you have any idea how to fix this forever, so it doesn’t happen in the first place?

I already asked OVH which won’t help and told me I need to ask Cloudflare about this issue.

For the longest time, it only happened with OVH, which made sense asking them, but recently it also started happening with another hosting provider. So I know there must be something that can be done so it stops happening.

Thank you in advance for your help and suggestions!

Maybe not forever, but you can issue an origin certificate for up to fifteen years:

1 Like

If you can install your own certificate on your web hosting and you will be using Cloudflare to proxy access to your sites, the Cloudflare Origin CA certificates that @sdayman shared are a convenient and reliable mechanism to install once and remain coverd for a very long time.

The standard lifespan on certificates issued by automated CAs, such as, but not limited to, Let’s Encrypt is 90 days. The most likely root cause behind your expiring certificates is that your certificates are being created automatically before you have the Cloudflare proxy activated and when they need to be renewed, typically starting at 60 days, your Cloudflare configuration hasn’t been adjusted to accommodate the renewal mechanism, which in turn causes the certificates to fail after they reach their expiration.

You can search :search: here for topics where I have shared configurations to support Let’s Encrypt HTTP-01 renewal. However, the Cloudflare Origin CA method is highly effective and protects you from the possibility of unexpected renewal complications.

1 Like


Thank you both very much for your helpful responses and insights @sdayman &!

I’ve tried implementing both solutions on two different websites to see over time which one is more convenient for me, as they both have pros and cons, based on what I’ve read.
Apparently with the Origin CA certificates, the certificates are only valid for traffic proxied through Cloudflare. So it can be problematic in case I ever need to bypass Cloudflare on day. in this thread (Certificate for Site - #16 by user4358) which I found based on your message, it is mentioned that the option you recommend leads to an infinite HTTP → HTTPS → HTTP redirect loop unless “Always Use HTTPS” is turned off (which I obviously don’t want).

In response, you mentioned the following:
“Good point. I handle all of my HTTP → HTTPS redirection at the origin and have an exception for the .well-known/acme-challenge/ path in my origin configs, too. If that won’t work for you, you may wind up needing to take the Cloudflare origin certificate route.”

How could I put that in place too in order to avoid the infinite redirect loop?

Thank you again.

1 Like

My exact method may not be ideal for everyone. It assumes that you you use Apache2 and have control over the configuration. I use the following in an include file:

<IfModule mod_rewrite.c>
  RewriteEngine On
  # Exclude Let's Encrypt ACME from HTTPS redirect
  RewriteCond %{HTTPS} !=on
  RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
  RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

You can accomplish similar results using Cloudflare. You just need to exempt the .well-known/acme-challenge/ in a rule that triggers before your redirect rule. I don’t have any examples since I don’t use that method.

You can also use DNS-01 validation with a Cloudflare plugin. That takes the .well-known/acme-challenge/ path out of the equation altogether. The specifics on such an approach are better explored in depth at the Let’s Encrypt Community.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.