Invalid SSL certificate Error code 526 - Full (Strict)

What is the name of the domain?

dinamikbisiklet

What is the error number?

Error code 526

What is the issue you’re encountering

Invalid SSL certificate

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

Hi everyone,

I’m experiencing an issue with Cloudflare across multiple sites on my account. All the websites on my server are using Cloudflare, and recently I’ve noticed that the SSL/TLS encryption mode for some of these sites is automatically switching to Full (Strict) without any manual changes on my part.

When this happens, the sites display an Invalid SSL Certificate error because my server certificates are not configured for Full (Strict) compatibility. I can manually switch the SSL mode back to Full, which resolves the issue temporarily, but the problem reoccurs for different sites almost daily.

Here’s a summary of the issue:
• All my sites are set up in Cloudflare.
• I did not change the SSL/TLS encryption mode myself.
• Some sites are automatically switching to Full (Strict).
• This results in Invalid SSL Certificate errors.

I’m curious to know:
1. Why is this happening? Is Cloudflare automatically enforcing Full (Strict) for some reason?
2. How can I prevent this from happening in the future?
3. Is there a way to check or manage the SSL mode for all my sites at once using Cloudflare?

Any insights or suggestions would be greatly appreciated. Thanks in advance!

May I ask what steps for troubleshooting have you tried already related to the 526 error you’re experiencing? :thinking:

Might be the connection between Cloudflare and your server detected some issue such as the SSL certificate at your origin host/server for your domain expired, therefrom Cloudflare tries to establish a connection over HTTPS and 443 port, but cannot.

Possibly, if you’ve left SSL/TLS on “Automatic”; it might detect and switched to Flexible but now you might be experiencing issues such as mixed content errors and cannot determine how to proceed further.

Otherwise, it switched to Full (not strict) to still have room so your origin Let’s Encrypt SSL certificate could still try to validate and renew (if Always Use HTTPS is disabled).

Have you checekd your CF dashboard under the SSL/TLS settings, did it switched to Flexible or not? :thinking:

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )? :thinking:

Before moving to Cloudflare, was your Website working over HTTPS connection?

Best way is to temporary Pause Cloudflare for your site. Wait few minutes. Double-check the origin SSL certificate. Renew it. After the Website works okay over HTTPS, un-pause and all good.

Steps for troubleshooting:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / Plesk panel / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and manually click to renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

More about this feature:

Cloudflare’s Universal SSL certifiate also used Let’s Encrypt, or Google Trusted Services or SSLCom to issue and renew the SSL certificate for proxied :orange: DNS records.
This happens because, with Cloudflare proxy enabled, the real traffic to your origin server is hidden behind Cloudflare’s network, which can interfere with the validation process required for Let’s Encrypt to issue or renew certificates.

In short, Let’s Encrypt uses HTTP-01 or DNS-01 challenges to verify domain ownership before issuing a certificate. When you use Cloudflare’s proxy, the traffic is routed through Cloudflare’s servers, and Let’s Encrypt’s validation might not be able to directly reach your origin server. This can prevent the validation process from succeeding.

You can temporarily disable Cloudflare’s proxy for the domain you’re trying to renew the certificate for. This will allow Let’s Encrypt to directly communicate with your origin server and complete the HTTP-01 challenge. After the certificate is successfully renewed, you can re-enable the proxy.

Otherwise, if you prefer not to temporarily disable Cloudflare’s proxy, you can use the DNS-01 challenge, which is more compatible with Cloudflare.
Switch your SSL/TLS mode to manual, use Full (not strict) and disable the “Always Use HTTPS” feature, but keep using proxy :orange: for your DNS records.

If possible, use a client that supports DNS-01 challenges with Cloudflare, such as Certbot with Cloudflare DNS plugin. Use so called “webroot” method.

Individually and manually, yes via Dashboard. However, in a “batch”, I’d suggest writing and using a Cloudflare Worker script and Cloudflare API for such cases.
Or by writing a simple Python or Bash script which would run every X before origin SSL certificate expires, switch the needed zones tu unproxy :grey: , start the renew process, upon success, revert back to proxied :orange: .

The 2nd way is to generate Cloudflare Origin CA Certificate and install it for your zone on your Web server and keep the Full (Strict) for next 15 years or so.

Thank you so much for your detailed response! I followed the steps to generate and install the Cloudflare Origin CA certificate, and it worked perfectly. I was able to set the SSL/TLS encryption mode to Full (Strict) without any issues this time.

Initially, I was confused about the Private Key part, but your explanation clarified everything. After installing the certificate on my cPanel server and checking the configuration, everything is now working as expected. The SSL time check discrepancy was also resolved after I understood the difference between the Cloudflare-provided certificate and the Origin CA certificate.

I really appreciate your support and guidance. Thank you once again for your time and effort!

2 Likes

Thank you for feedback!

I am happy to assist you :hugs:

Just to add, please keep in mind that you cannot use both AutoSSL for “mail” and Cloudflare Origin CA certificate for “domain.com www sub, etc.”, as far as cPanel unfortunately installs that Cloudflare Origin CA certificate for all sub-domains automatically, therefore no way to use AutoSSL - at least what I’ve tested since before, maybe something changed within different cPanel versions in past.

Furthermore, you cannot use Cloudflare Origin CA certificate for e-mail.
It works only for web traffic (HTTP / HTTPS).
Hopefully, you’re not using cPanel for your email as well as it might broke your email.

Nevertheless, cPanel will always say “expired” or “not valid” certificate warning for Cloudflare Origin CA certificate.

Just to not forget about those few points since you’ve mentioned cPanel.

If you’d like to use AutoSSL and Cloudflare, there are some ways, again which conclude what I’ve written from my above reply:

Or just use 3rd-party service provider for email or different web hosting and make sure cPanel is then set to use “Remote Email Exchange”, not “Local” under the “Email Routing” options.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.