SSL Full vs Strict and Install?

Wanting to use CF SSL on a site. Following the docs for origin CA install, here:

I have pem and key files installed on the origin.
Also installed the CF intermediate files.
I can see the site using Full SSL mode.

Step 2, using Nginx, takes me to digicert which asks for concatenation of primary and intermediate CA files.

  1. Should I do this? And if so, what files are to be concatenated?
  2. Changing the setting from Full to Strict, throws a 526 invalid certificate error.
    What am I doing wrong.
1 Like

#4 of the link you posted refers to the intermediate certificate you might need to add.

The 526 occurs because you dont seem to have a valid certificate. Make sure the Origin certificate is properly in place.

Whats the domain?

1 Like

1 Like

And which encryption mode do you currently have set?

Would you feel comfortable sharing the server IP address here?

1 Like

Presently full mode.
DELETED then delete this ip from view.

1 Like

Can be deleted, the posting removed.

Your naked domain does have the certificate correctly in place, your “www” record however not. Apply it there as well and you should be able to switch to Full strict without problems.

1 Like


  1. I have this rule in place:*
Forwarding URL (Status Code: 301 - Permanent Redirect, Url:$1)

  1. These origin certs are for:

*, (2 hosts)

I thought the wildcard would cover the www? And in the case of having a redirect at CF wouldn’t that solve it?

1 Like

Fair enough, in this case the server-side configuration for www should be pretty irrelevant.

Should all work then.

As soon as I flip the switch to Strict, I get the 526 error.

Here’s the nginx server block (I use this on other sites too).

server {

listen 443 ssl http2; 

# Executes the Cache Control Expires map

expires $expires;



#include /etc/nginx/directives/sslsecurity.conf;

ssl_certificate       /etc/cloudflare-certs/pem/;

ssl_certificate_key   /etc/cloudflare-certs/key/;

root    /var/www/html/;

That is odd as the right certificate is configured. The only explanation I’d have right now is that the intermediate certificate is missing (though I’d still expect it to work). Have you configured this meanwhile?

And the IP address you mentioned earlier is the only one configured on Cloudflare?

Back to my OP - I have (2) origin certs (both.pem) on the server. However, I’m concerned about the instructions given at digicert for concatenation - what cert gets concatenated?

The IP is the only one that has ever been used for this site.

See attachment - the two CF certs are installed. The site cert is placed in each respective folder.

I am not quite sure how NGINX handles that but typically you appened one certificate to the other, so you’d have a text files with both in it.

Ehm, not sure if the domain was already in your possession last year, but there were quite a few 184 adresses back then.

Yes, familiar with the process of concetenation, since I did it many times when I purchased a cert. Question is - which files get concatenated, a digicert intermediate and the site pem, or the CF certs? Or something else.

The Origin certificate Cloudflare issued together with the intermediate certificate which you downloaded at #4.

The intermediate from CF? Which one: RSA or ECC?

Probably the first one. Just try it :slight_smile:

OK, so I concatenate the and the cloudflare_origin_rsa.pem

Thats what I suggested.