Massive SSL/TLS mess - Cloudflare error page still after removing my site from Cloudflare service completely

The short version is that my hosting company, Bluehost, refuses to remove support for TLS 1.0 and 1.1 despite both being deprecated, which will cap your website security ranking to a “B” rating at best. Therefore I wanted to use Cloudflare to force TLS version 1.2 at minimum so I can increase my ranking etc. At one point everything was working. Not sure exactly at which point, but somewhere after I had everything working I noticed the website loading to a Cloudflare ERROR 526. I have not been able to fix this.

So far I have tried:

  • Disabling SSL Strict back to Full
  • Turning off SSL completely (no encryption)
  • Buying a $5 SSL certificate from Cloudflare
  • Disabling Universal SSL Cert after buying one from Cloudflare
  • Enabling HSTS
  • Disabling HSTS
  • Uploading an Origin Cert to my Bluehost server
  • Removing the Origin Cert from my Bluehost server
  • Pausing the website on Cloudflare
  • Removing the website completely from Cloudflare

Can anyone give me some guidance here? I’m literally pulling my hair out at this point.

The current state of the website is it goes to a Cloudflare error 403 Forbidden error now. (Even though the site has been fully removed from Cloudflare, even though the DNS has been changed back to Bluehost).

I have already read Cloudflare Error 526 help page and it has been utterly worthless.

What’s the domain?

I’d prefer not to list the domain publicaly

Try testing with 3rd party DNS propagation check site like https://www.whatsmydns.net/ that your domain’s nameserver (NS) records are properly pointing to your Bluehost nameservers and not Cloudflare’s. If they are pointing to Bluehost, then make sure to flush your own computer/browser’s ISP DNS cache as well.

I already did this. For some reason the DNS propagation tool shows ALL Cloud flare DNS not Bluehost.

I have already purged all my browser caches (Using 3 different browsers), and I have flushed my DNS cache on my computer already

It’s been over an hour now since I changed DNS back to Bluehost and DNS propagation tool still shows 100% Cloudflare servers.

There’s the problem then, your domain is still using Cloudflare nameservers. So I’d double check with Bluehost if you have properly changed nameservers.

Unlike Cloudflare, 3rd party DNS changes may observe DNS TTL time that Bluehost has. Some have TTL 86400 seconds = 1 day so changes of DNS may take up to a full day on Bluehost. Not that I have used Bluehost so you’d have to check with them how long it takes for changes to take effect

I do.

from Bluehost KB https://my.bluehost.com/hosting/help/transfer_client_start

Note: Please allow 24-72 hours for the DNS propagation of name servers to fully propagate.

so you probably need to wait 1-3 days at least.

Strange. I’ve been using Bluehost for around 5 years and most of the time the DNS changes fully propagate in like 20 minutes to an hour.

I’ll call them and see what Tech Support says.

I just switched back to Cloudflare DNS so I can true to resolve this 526 issue since I ultimately do want to use CLoudflare in the end.

403 error is gone now, but still getting the error 526. I re-added the site back to CLoudflare again

so you’ve done steps outlined at https://support.cloudflare.com/hc/en-us/articles/115003011431#526error ?

Temporarily pause Cloudflare and visit https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replace www.example.com with your hostname and domain) to verify no issues exists with the origin SSL certificate:

what result did you get from that troubleshooting step ?

Everything checked out. There was no issues.

I just ran it again. All green checkmarks, no issues again

It checks out fine on SSL Labs also

In that case i’d open a CF support ticket to investigate as it could be a bug somewhere.

Yeah, that’s what I’m starting to think. That’s why I’m going crazy, b/c I can’t see a single reason it should be doing this.

Day 2 ripping my hair out with this Error 526 that nobody can seem to resolve. It doesn’t matter if I have Strict enabled or not. Still generates an Error 526. I have completely removed all certificates from the origin server, generated a new Origin Cert on CF, installed it fresh, with the private keys. Same Error 526 persists. SSL Checker and SSL Labs show perfect marks. No errrors, Full Chain, etc.

I opened a ticket yesterday and the tech a CF doesn’t seem to know what is going on. Is there anyone who can help me resolve this? Probabaly nobody cares but I’m tipping whoever helps me fix this with Cryptocurrency or Paypal/Venmo. (your choice).

The slow replies of CF support are basically unbearable, especially when they say stuff like “Looks good from our end” and that’s all.

Last reply from CF - This is when I removed all certs associated with domain then re-installed a brand new Origin Cert from CF to the domain via Cpanel

And when you pause Cloudflare you actually get the Origin certificate?

What do you mean by “actually get the origin certificate”?

I can try pausing now, if you think I should try.

Support’s answer seems to be pretty clear however. You havent issued the Origin certificate for the correct hostnames. Have you fixed that by now?

Whats the domain to begin with?