SSL certificate suddenly invalid


#1

So yesterday at around 11AM EST my website stopped working and started showing error 526 (Invalid SSL Certificate) instead, I didn’t change anything on the server or any settings in cloudflare and the certificate didn’t expire.

For some background I do use Lets Encrypt with their DNS validation and its worked fine since they originally released that.

In cloudflare my crypto SSL setting is set to full strict which is what its been for several months now, if I change that from full strict to just full the error on the site changes from error 526 (Invalid SSL Certificate) to error 520 (Web server is returning an unknown error).

I can access the site fine internally so as far as the web server itself goes its working fine.

Ray ID for Error 526: 4684e6719fb450aa
Ray ID for Error 520: 4684e2f81ea950aa


#2

I believe the 526 error is due to the Origin’s SSL certificate expiring. Are you sure your certificate has been renewed? Try connecting to your origin directly.


#3

Sorry but what exactly do you mean by ‘origin’?


#4

The server where you host your content, from which Cloudflare gets the content it proxies and caches. This is assuming you have proxying enabled.


#5

Yes I do have the proxy enabled, if I disable it I get a red triangle saying the connection is not private with an error NET::ERR_CERT_AUTHORIY_INVALID.

If I open the advanced drop down it says the server could not prove that the site is correct, its security certificate is not trusted by your computer’s operating system.

If I try to proceed to the site anyway it just fails and says this page isn’t working, domain.com didn’t send any data. ERR_EMPTY_RESPONSE


#6

It would help knowing the domain, but that seems like your origin doesn’t have a trusted certificate (so for sure not the Let’s Encrypt one), plus it seems like there are others issues with your origin. I don’t think this is an issue with Cloudflare.


#7

So I didn’t do anything but just refreshed the page randomly and the error changed to this, it doesn’t even let me try to proceed to the site like before.
image


#8

The error is Chrome’s, you have HSTS enabled on your domain, this prevents HTTP (or not valid certificates) connections to your domain.

The issue is at your Origin.


#9

:wave: @saltystew94,

At @matteo mentioned the 526 error means this is likely an issue with you origin server (the server hosting the content). At the moment you are likely using Full (strict) for connections to your origin. This requires that the cert on your origin that Cloudflare connects to be a. from a trusted CA, that the host name match and c. that the certificate is not expired or revoked.

If this was previously working, the most likely cause is that your origin cert has expired. If that is the case you can either a. update it or b. change SSL to Full instead of Full (Strict) on the Crypto tab.

-OG


#10

Thanks for the link!


#11

@OliverGrant Before posting here I did update the cert, although as far as I could tell it hadn’t expired, and nothing changed, I also tried using full instead of full strict because I’ve read that article already, it just gives me a different error instead as mentioned error 520.

@matteo thanks for the help, I guess I’ll try to figure out what happened with the server then.


#12

So that sounds like an issue with the webserver and the cert. Does curl -o /dev/null -kv https://www.microsoft.com with your website name while not proxied throguh Cloudflare work?