Hello,
For over a day now, Cloudflare has brought my site down (domain goseongguy.com) with a 526 “invalid SSL certificate” error. I am aware of the community tip article for the 526 error, and I know CF thinks the origin host has the problem. I got in touch with my hosting, and they say:
“The SSL is active for the domain correctly on our end, the A record of the domain is not accepting the SSL certificate update. I can see the A record of the domain is pointing to Cloudflare, you must contact Cloudflare and ask them to update the A record of the domain pointing to Bluehost IP.”
I made no DNS changes or anything, the certificates do not seem to be expired on my server…I don’t understand how this just happens.
I see from previous community posts that many people had solutions by switching from Full (Strict) to Full SSL (not strict). I have already been using Not Strict.
An A record can’t accept a certificate. That’s a bogus explanation.
Assuming your server IP address ends in 205 it would seem as if it did expire and was actually renewed but not with the necessary hostnames. Only www.goseongguy.com is there, but not your naked domain, hence requests to goseongguy.com won’t validate.
Your host should fix that and get a proper certificate with the right names.
That is just making your site insecure. Don’t do that.
That expires in two days and is not the certificate you are using anyhow, but the other one. At this point it’s best you pause Cloudflare, so your host does not have any cheap excuses. Then your host needs to fix that and then you can unpause.
Ok the domain is back online and in Full (Strict) SSL.
My host tried to tell me to put CF in Flexible mode and if the issue persists, to simply cancel Cloudflare because “unfortunately, SSL and CDN conflicts at times”. LOL I asked them to please install something today…so fortunately they did. If the issue happens again, at least I should be more prepared now.
If there is a way that you were able to know which certificate was actually in use, that seems like it would be useful to know.
You need to establish a direct SSL connection to your server. You do that by using an unproxied record, pausing Cloudflare altogether, or using e.g. OpenSSL to send a direct request.
