I woke up to 526 errors Full (strict) using Cloudflare CA signed cert

I have been using Cloudflare origin CA signed certs since 2 years ago but this morning around 7:30am (Singapore Time) all the sites that use Full (strict) SSL has been down, with 526 errors.

Please advise, this is concerning as your side may be experiencing MITM attacks.

More likely the cert on your internal machine has simply expired, so it fails the full strict requirements.

Its a 15 years cert expiring in 2035

Perhaps the target IP address has changed.

IP address is the same and static. I have checked the cert is installed correctly by changing my hosts file and targeting my static IP directly.

Cloudflare to origin uses the public internet unless you have a peering connection or are using Cloudflare tunnels.

The most likely MiTM is something on your network/ network edge but if it were say… your ISP or a state actor Cloudflare can’t impact what happens downstream on the public internet

More debugging than that would require a support ticket, community users don’t have access to tools to test from Cloudflare’s metals.

I can’t seem to open a support ticket at all, seems like they purposely make it difficult. I thought that Cloudflare staffs will look into the community forum.

I understand how Cloudflare works and my setup has been fine for 2 years. As I still have my workarounds and I am a free user, I am writing this post to notify Cloudflare of the issue. Very likely their fix for zero trust networking has caused some feature to regress. I don’t mind being quiet and leaving things as it is.

It mostly is MVPs.

If you check the forum, you’ll notice that we have literally dozens of threads every single day here because people are unable to configure their servers - and unwilling or unable to search :wink:

I am not saying this necessarily applies in your case and your posting does sound as if you knew what you were doing, I’d rather want to point out why any threads with a 526 issue will not be taken too seriously until the issue has been really confirmed.

On top of that Cloudflare’s validation has been working flawlessly for years, so it’s somewhat unlikely they suddenly changed that.

What you are essentially saying as that as of February 7th, 11:30pm GMT Cloudflare’s validation is not able to validate (at least) Origin certificates any more. Is that right?

Can you provide the domain and (if possible) the server IP address? My best guess is something in your configuration changed and that certificate was exchanged with an invalid one or maybe your certificate chain is not correct any more, but of course that all requires the domain.

Thanks for the reply. On further investigation, it seems like directly connecting to my VPS with origin certificates are working fine. The problem comes when Cloudflare is accessing files hosted on hostinger setup with origin certs. Most likely something changed in hostinger managed servers instead of Cloudflare. Using Full (non-strict) seems to work.

Thanks for all the replies and suggestions.

Because Cloudflare won’t validate the certificate in this case and, assuming your certificate is not valid any more, that of course will skip the check. But, as you pointed out, that is a highly insecure configuration and essentially removes encryption.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.