Weird SSL error

Hi all, I’d really appreciate some help.

I have been using the cloudflare API with a docker DDNS to update my dynamic IP successfully for months now. Yesterday, I was playing around with the certbot/cloudflare-dns container and didn’t realise that getting it to issue a certificate would cause problems with my existing SSL setup.

Until now, I have successfully been using the Origin Certs in Full (Strict) mode. I would like to be able to get back to that. Currently every time I visit anything hosted (across multiple domains) on my server I get a ‘526’ error. I know the certs and keys are good though – not least because I recreated all of them.

So far I have:

  • Reset global API key
  • Reset Origin CA
  • Rolled all api keys
  • Generated new Origin certs for every site and verified them numerous times

The DDNS container(s) all function 100%. When I visit the address’ the SSL cert on the 526 is a Cloudflare origin one…

What can the Certbot have done that I need to undo? All five of my domains are currently down, including all of the associated sub-domains and services.

Modified your config file which could point to it’s own generated SSL certificate, or removed the line indicating the location of your Cloudflare Origin CA certificate which you used before?

DDNS, maybe it got wrong IP address “hooked” to an SSL certificate or did run only for a main domain, but not sub-domain(s)?

What is the output of running a command in your CLI:
curl -svo /dev/null https://yourdomain.com --connect-to ::your.host.ipv4.address 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

Is Cloudflare allowed to connect to your host/origin (docker setup)?
Is the SSL 443 port open at your host/origin?

What happens when you switch from :orange: to :grey: cloud at Cloudflare?

Have you already went throught the step-by-step instructions as suggested in the below article?:

Thank you for the assistance. This turned out to be unrealted. Traefik is reverse proxying my home server and when you get a broken ‘rule’ it cascades and breaks literally everything else, it seems. This resulted in the 526 error, even though the TLS certs and setup were good.

It was literally a single character typo. Hope this helps someone else one day!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.