SSL/TLS Full Strict

My website is using a Let’s Encrypt certificate and as of this morning I’m no longer able to reach it when the SSL/TLS setting in Cloudflare is set to full or full (strict). If I move to flexible I’m able to reach the website. I’ve ensured the Let’s Encrypt certificate is not expired (March 2022). I came across a topic where this recently happened to someone else and Cloudflare changed the issuing CA to DigiCert for the user and the user was/is using a Let’s Encrypt certificate, too.

SSL Issues: Certificate has expired - Security - Cloudflare Community

SSL/TLS Full Enabled → website returns 500 Internal Server Error

SSL/TLS Full (strict) enabled → website returns Cloudflare splash page and states, “Error 526 - Invalid SSL certificate”

Since Full (Strict) shows a 526, but Full just returns a server error, this sounds like the certificate Cloudflare is setting at the origin is not valid.

You can also test the origin cert with this. But replace the 123 address with the real server address.
curl -svo /dev/null https://www.example.com --connect-to ::123.123.123.123 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

1 Like

Thank you for replying. I do agree there is a certificate issue. I’m trying to run the command you gave me, but I get connection refused. I moved away from proxied and went back to dns only under DNS → DNS Management and used SSL Labs to test the website. SSL Labs reports “Certificate name mismatch”, and states the issuer is “letsencrypt-nginx-proxy-companion”. This is the name of a docker container I use to generate/maintain my Let’s Encrypt certificates. Something must have gone bonkers as I do see the correct certificate in the folder. Unfortunately, I’m unable to generate other Let’s Encrypt certificate for 5 days. For now, I’ll have to leave it as flexible. Again, thanks for your help.

1 Like

I wanted to follow up in the event this ever happens to anyone else. Due to hitting the certificate generation limit with Let’s Encrypt for my domain, the docker container I’m using, nginxproxy/acme-companion, to handle the communication to Let’s Encrypt halted running the script midway. This caused the certificates to not move out of a sub folder, be renamed to the domain name (domain.key and domain.crt) and be presented to NGINX for use with the application. Since this was no longer occurring, both SSL Labs and Cloudflare were being presented with the default.key and default.crt files.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.