SSL Certificate randomly invalid

My server’s certificate suddenly became invalid for some time (Error 526), known duration of issue: around 20 minutes.
Now it’s also suddenly back to normal, but i’d want to know what was the issue. Existing topics on the problem doesn’t provide any answer.


  • Website has worked without any issue for half a year;
  • Server’s and Cloudflare’s configuration was not changed for 4 months;
  • Server’s certificate was renewed just a week ago, so it’s perfectly valid;
  • SSL Encrypted mail service hosted on the same server kept working through all the time just fine for both incoming/outcoming mail;
  • Playing around with SSL/TLS encryption mode and disabling/enabling HSTS didn’t affect the issue;
  • Shortly before the trouble I’ve added another website hosted on the same server to Cloudflare, set DNS A-record to the server while still pending nameserver check. Issue disappeared just around time the new site was activated, so my best guess is that it was somehow connected to the trouble.

With all that, was the issue caused by me (and how to prevent it), or is it Cloudflare’s fault?

Mind if I ask what certificate you have on your server (certificate authority, etc.)?

Playing around, … what exactly is the current SSL/TLS encryption mode now?

It sounds like it was the former (e.g. the older website), but just to confirm: Did you see the 526 on the older website, or on this newer “another website” you added shortly before the trouble?

I’m however a bit sceptical for finding the actual issue though, given the fact that you indicate that it magically just returned to be working, e.g. being solely an intermittent issue.

LE certbot Apache mod;

Encryption mode normally set to Full, while trying to troubleshoot it was set to Full (strict) and Flexible, back to Full now.

526 was on the older website, new one wasn’t active on Cloudflare yet, so it was unaccessible.

That’s pretty much the question, if it’s not some obvious mistake that I’m unaware of, I’ll take it as a CF error, I just wanted to know what I should avoid doing in the future.

If you pause Cloudflare (or set the individual record to Unproxied (:grey:) / DNS-only), does the certificate on the server work flawlessly in a browser?

Alternatively, and assuming that your operating system has e.g. cURL installed, then if your problematic host name is, and that the IP address of your sever is, you can try run cURL like this:

curl -v -o /dev/null --resolve

That command would make resolve to, and therefore connect directly to your server (bypassing Cloudflare) for connections on port 443, where you can then check in the output for e.g. information about the secure connection, and whether cURL means that your certificate is “ok”.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.