November 9, 2022, 10:35am
I’ve got a site that’s been running for over a year now, this morning out of a sudden I started getting
526 SSL errors.
On the server it has a Let’s Encrypt cert valid for another 59 days, and the padlock icon/cert info appear to be listing the cert common name as sni .cloudflaressl .com instead of *.domain.com
I have made absolutely no changes and it just came up this morning - my feeling is something must have changed at Cloudflare’s backend somehow?
Any advice would be much appreciated.
November 9, 2022, 11:07am
That sounds like the proxy certificate issued by Cloudflare. You also need a valid certificate on your origin server. It is likely your origin certificate has expired and needs to be renewed.
I suggest you start by pausing Cloudflare (this can be done on the zone overview page). Then you’ll be able to connect directly to your origin and identify the issue. Once your site loads over HTTPS again without issues, you can unpause Cloudflare.
November 9, 2022, 11:13am
Thanks for your reply Albert, like I mentioned the origin cert is still valid for 59 days and I haven’t touched anything at all:
“Expiry Date: 2023-01-08 08:38:14+00:00 (VALID: 59 days)”
What could have changed out of a sudden?
November 9, 2022, 11:19am
This is when you are connecting directly to your origin server or through Cloudflare? Could you share the domain name?
526 indicates an issue with the origin’s SSL certificate, so I really recommend you pause Cloudflare to ensure your website loads fine without.
November 9, 2022, 11:30am
Thanks Albert, could I DM you the domain name somehow?
I’ve changed SSL settings in CF from Full (strict) to Full and it seems to be working.
With Cloudflare paused it wouldn’t connect. Let’s Encrypt logs on the server are not showing any errors or warning so I am 100% puzzled by all this…
November 9, 2022, 11:54am
If it works on Full but not on Full (strict), then you have an invalid/expired certificate on your origin server. Full non-strict is insecure and should not be used.
Do you have a firewall rule on your origin that only allows Cloudflare IPs to connect?
November 9, 2022, 12:10pm
I have other sites configured in the exact same way on the server and they work fine on Full (strict), running certbot via SSH shows the cert is valid and non-expired.
The difference between the site that is working and not that I noticed in the web browser, the cert info is listed as common name as sni. Cloudflare .com for the one that is having issues and the others have *.domain.com (and they’re working)
I do not have any firewall rules on origin to allow only CF IPs.
November 9, 2022, 12:45pm
Hi Albert, I’ve used a 3rd party site to check the certs, here is what I got, the dates for Let’s Encrypt certs (first row, 2 entries) match the details on the server re expiry on 2023-01-08.
So I’m not sure what is going on here
Does the screenshot help to potentially identify what is going on? I’d really appreciate any advice.
November 9, 2022, 12:58pm
Albert, I seem to have resolved it and the site now running at Full (strict).
The solution was to…
sudo systemctl reload nginx
Hope this helps other people, I think I got a few more grey hair due to all this!
Thank you Albert for trying to help.
I suspect maybe some automated updates to the server might have caused this? i.e. the Ubuntu automatic security patching… but maybe not.
What do you think Albert?
November 9, 2022, 2:15pm
The cause of the error
526 was certainly an invalid/expired certificate on your origin server, but it is possible your server had already generated a new certificate that NGINX just hadn’t loaded yet.
November 19, 2022, 9:59am
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.