SSL error 526 out of a sudden, Let's Encrypt cert still valid for 59 days and no changes

ptrm · November 9, 2022, 10:35am

Hi everyone,

I’ve got a site that’s been running for over a year now, this morning out of a sudden I started getting 526 SSL errors.

On the server it has a Let’s Encrypt cert valid for another 59 days, and the padlock icon/cert info appear to be listing the cert common name as sni .cloudflaressl .com instead of *.domain.com

I have made absolutely no changes and it just came up this morning - my feeling is something must have changed at Cloudflare’s backend somehow?

Any advice would be much appreciated.

Thanks,
Peter

albert · November 9, 2022, 11:07am

That sounds like the proxy certificate issued by Cloudflare. You also need a valid certificate on your origin server. It is likely your origin certificate has expired and needs to be renewed.

I suggest you start by pausing Cloudflare (this can be done on the zone overview page). Then you’ll be able to connect directly to your origin and identify the issue. Once your site loads over HTTPS again without issues, you can unpause Cloudflare.

ptrm · November 9, 2022, 11:13am

Thanks for your reply Albert, like I mentioned the origin cert is still valid for 59 days and I haven’t touched anything at all:

“Expiry Date: 2023-01-08 08:38:14+00:00 (VALID: 59 days)”

What could have changed out of a sudden?

albert · November 9, 2022, 11:19am

This is when you are connecting directly to your origin server or through Cloudflare? Could you share the domain name?

Error 526 indicates an issue with the origin’s SSL certificate, so I really recommend you pause Cloudflare to ensure your website loads fine without.

ptrm · November 9, 2022, 11:30am

Thanks Albert, could I DM you the domain name somehow?

I’ve changed SSL settings in CF from Full (strict) to Full and it seems to be working.

With Cloudflare paused it wouldn’t connect. Let’s Encrypt logs on the server are not showing any errors or warning so I am 100% puzzled by all this…

albert · November 9, 2022, 11:54am

If it works on Full but not on Full (strict), then you have an invalid/expired certificate on your origin server. Full non-strict is insecure and should not be used.

Do you have a firewall rule on your origin that only allows Cloudflare IPs to connect?

ptrm · November 9, 2022, 12:10pm

Thanks Albert,

I have other sites configured in the exact same way on the server and they work fine on Full (strict), running certbot via SSH shows the cert is valid and non-expired.

The difference between the site that is working and not that I noticed in the web browser, the cert info is listed as common name as sni. Cloudflare .com for the one that is having issues and the others have *.domain.com (and they’re working)

I do not have any firewall rules on origin to allow only CF IPs.

ptrm · November 9, 2022, 12:45pm

Hi Albert, I’ve used a 3rd party site to check the certs, here is what I got, the dates for Let’s Encrypt certs (first row, 2 entries) match the details on the server re expiry on 2023-01-08.

So I’m not sure what is going on here

Does the screenshot help to potentially identify what is going on? I’d really appreciate any advice.

ptrm · November 9, 2022, 12:58pm

Albert, I seem to have resolved it and the site now running at Full (strict).

The solution was to…

Reload nginx!

sudo systemctl reload nginx

Hope this helps other people, I think I got a few more grey hair due to all this!

Thank you Albert for trying to help.

I suspect maybe some automated updates to the server might have caused this? i.e. the Ubuntu automatic security patching… but maybe not.

What do you think Albert?

albert · November 9, 2022, 2:15pm

The cause of the error 526 was certainly an invalid/expired certificate on your origin server, but it is possible your server had already generated a new certificate that NGINX just hadn’t loaded yet.

system · November 19, 2022, 9:59am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.