sfw/fix
Error 526 high

Cloudflare Error 526: Invalid SSL Certificate

Cloudflare connected over HTTPS but rejected your origin's certificate while running Full (Strict) SSL.

What you see

Error 526
Invalid SSL certificate
What happened? Cloudflare could not validate the SSL certificate on the origin web server.

What’s actually happening

Specific to Full (Strict) mode: the TLS handshake itself works, but Cloudflare refuses the origin's cert because it can't validate it. Flip to Full (non-strict) and the site comes back, because Full skips validation. Most often it shows up the day an origin cert expires, or right after someone installs a cert without its intermediate chain.

Common causes

  • The origin certificate is expired or not yet valid (clock/date issues count too).
  • It's self-signed, or signed by a CA that isn't in Cloudflare's trust store, while Full (Strict) is enforced.
  • The cert is missing intermediate CA certificates, so Cloudflare can't build a chain to a trusted root.
  • Hostname mismatch — the requested host isn't in the cert's Common Name or Subject Alternative Names.
  • The cert was revoked by its issuer.

How to fix it

  1. Inspect the live origin certificate`openssl s_client -connect ORIGIN_IP:443 -servername example.com | openssl x509 -noout -dates -subject -issuer`. Check notAfter for expiry and confirm the subject/SAN covers the hostname. This one command usually tells you whether it's expired, self-signed, or mismatched.
  2. Fix the chain if intermediates are missingThe number-one 526 cause is an incomplete chain. Your origin must serve leaf + intermediate(s) in one bundle (nginx `ssl_certificate` should point at fullchain.pem, not just cert.pem). Verify with `openssl s_client -connect ORIGIN_IP:443 -servername example.com -showcerts` and confirm the chain walks up to a public root.
  3. Install a Cloudflare Origin CA certificateGenerate one under SSL/TLS → Origin Server and install it on the origin. Cloudflare trusts these natively under Full (Strict), so it fixes expiry, self-signed, and chain problems in one move. It's free and valid for years.
  4. Renew or replace an expired/revoked certIf it's a real public cert that lapsed, renew it (check why auto-renew failed — certbot timer disabled, ACME challenge blocked) and reload the web server. Don't just paper over it by downgrading SSL mode.
  5. If you must keep a self-signed cert, trust it explicitlyAdd the self-signed/custom cert to Cloudflare's Custom Origin Trust Store so Full (Strict) accepts it, rather than dropping the whole zone to Full (non-strict) and losing origin validation everywhere.

Stop it recurring

Automate cert renewal (certbot/ACME) with expiry alerting, and always deploy the full chain — or just use a Cloudflare Origin CA cert so expiry stops being your problem.

Related errors

Cloudflare Error 525: SSL Handshake Failed

high

With Full (Strict) SSL on, Cloudflare reached your origin but the TLS handshake between them failed.

Cloudflare Error 520: Web Server Returned an Unknown Error

high

Cloudflare got a response from your origin that it couldn't make sense of — empty, malformed, or oversized.

404 Not Found

high

A 404 means the page the visitor requested doesn’t exist at that URL. Here’s why it happens and how to fix it for good.

500 Internal Server Error

critical

A 500 is the server’s way of saying "something broke on my end." Generic by design — here’s how to find the real cause.