Setting up full (strict) SSL/TLS encryption

I want to setup full HTTPS encryption for my domain (genify.ai) and subdomain (ezloan.genify.ai).

I have a CNAME which redirects genify.ai to my PythonAnywhere web host, and another CNAME which should redirect ezloan.genify.ai to another web app on AWS (the redirect doesn’t actually happen, but that’s another problem)

In SSL/TLS -> Overview, I’ve selected “Full (strict)”

In SSL/TLS -> Origin server, I’ve created 2 certificates: one with hosts genify.ai and *.genify.ai, another one with hosts ezloan.genify.ai and *.ezloan.genify.ai

I also have an universal certificate with hosts *.genify.ai, genify.ai, and Universal SSL is enabled.

  1. Is the setup above correct?

  2. In my browser only, trying to access genify.ai yields error 526. However it works on some other browsers. Why?

Error 526 stands for:

CloudFlare can not validate the SSL-Cert on the origin Server. It is invalid, or selfsign, which also is invalid for “Full (Strict)” SSL Mode

You have not setup your SSL-Cert right, or the SSL Cert itself is invalid.
From CloudFlare you just need one single Origin-SSl Cert. It is the one which is for:

genify.ai & *.genify.ai

As it covers the rootdomain and ALL first level subdomains.

For me it is like this:

ezloan.genify.ai => www.ezloan.ai => works
genify.ai => 526 Error

What you have to do is installing a valid SSL Cert on the Server which hosts genify.ai or set SSL-Mode to “Full” and not “Full (Strict)” but this is just a workaround and not recommended!

1 Like

Thanks!

Should I disable universal SSL (in Edge certificates)?

No. First set “SSL-Mode” to “Full”. This will give you some time to resolve the error and should make your site working immediately.

Then try to install a proper SSL Cert on your origin Server as CloudFlare can not validate the installed one.

After this do not forget to switch back to “Full (Strict)” again

The SSL certificate that I have to install on my origin server (PythonAnywhere), isn’t it the one provided by cloudflare (under SSL/TLS -> Origin server)?

I can not answer you this question as I can not test your origin server unless you provide the IP of your server to me.

I can just explain to you what the errorcode (526) means and how to solve it on short and on long term

I’d love to understand how to provide a long term solution for error 526!

Thanks in advance

When I check the IP address using a service like https://dnschecker.org/all-dns-records-of-domain.php, I get the following:

  • 104.27.167.36
  • 104.27.166.36
  • 172.67.139.36

Thanks!

1 Like

Yes. That’s Cloudflare IPs.

This topic was automatically closed after 30 days. New replies are no longer allowed.