Site down with sudden 526 error, certificates appear valid

Hello,
For over a day now, Cloudflare has brought my site down (domain goseongguy.com) with a 526 “invalid SSL certificate” error. I am aware of the community tip article for the 526 error, and I know CF thinks the origin host has the problem. I got in touch with my hosting, and they say:
“The SSL is active for the domain correctly on our end, the A record of the domain is not accepting the SSL certificate update. I can see the A record of the domain is pointing to cloudflare, you must contact cloudflare and ask them to update the A record of the domain pointing to Bluehost IP.”

I made no DNS changes or anything, the certificates do not seem to be expired on my server…I don’t understand how this just happens.

I see from previous community posts that many people had solutions by switching from Full (Strict) to Full SSL (not strict). I have already been using Not Strict.

Help please.

Thanks,
Nate

1 Like

An A record can’t accept a certificate. That’s a bogus explanation.

Assuming your server IP address ends in 205 it would seem as if it did expire and was actually renewed but not with the necessary hostnames. Only www.goseongguy.com is there, but not your naked domain, hence requests to goseongguy.com won’t validate.

Your host should fix that and get a proper certificate with the right names.

That is just making your site insecure. Don’t do that.

2 Likes

Hi Sandro,

Thanks for the prompt reply. The IP does end in 205.

When I pull up the certificates on my server, one of them I see is showing me this:

autodiscover.goseongguy.com
cpanel.goseongguy.com
cpcalendars.goseongguy.com
cpcontacts.goseongguy.com
goseongguy.com
mail.goseongguy.com
webdisk.goseongguy.com
webmail.goseongguy.com
www.goseongguy.com
Let’s Encrypt
7/28/21
RSA, 2,048-bit
Cert for “goseongguy.com

1 Like

That expires in two days and is not the certificate you are using anyhow, but the other one. At this point it’s best you pause Cloudflare, so your host does not have any cheap excuses. Then your host needs to fix that and then you can unpause.

2 Likes

Ok then, would “Pause Cloudflare on site” be enough? Do I need to switch my nameservers away from CF also, back to my host?

1 Like

No, just pause Cloudflare. Leave the nameservers and change your mode back to “Full strict” too.

1 Like

Ok many thanks!

1 Like

Ok the domain is back online and in Full (Strict) SSL.

My host tried to tell me to put CF in Flexible mode and if the issue persists, to simply cancel Cloudflare because “unfortunately, SSL and CDN conflicts at times”. LOL I asked them to please install something today…so fortunately they did. If the issue happens again, at least I should be more prepared now.

If there is a way that you were able to know which certificate was actually in use, that seems like it would be useful to know.

Thanks again!

1 Like

You need to establish a direct SSL connection to your server. You do that by using an unproxied record, pausing Cloudflare altogether, or using e.g. OpenSSL to send a direct request.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.