Cloudflare 526 Error
Learning Focus
By the end of this lesson you will understand what causes Cloudflare 526 Invalid SSL Certificate errors and how to fix origin certificate validation when using Full (Strict) mode.
What a 526 Means
A 526 error means the TLS handshake succeeded (unlike 525), but Cloudflare could not validate the origin certificate. This only happens in Full (Strict) mode, where Cloudflare requires the origin certificate to be trusted.
Common Causes
| Cause | Likelihood | Fix |
|---|---|---|
| Self-signed certificate | Very common | Use Cloudflare Origin CA or Let's Encrypt |
| Certificate hostname mismatch | Common | Ensure cert covers your domain |
| Expired certificate | Common | Renew and reload |
| Wrong Cloudflare SSL mode | Occasional | Change from Full (Strict) to Full if needed |
| CA bundle missing | Occasional | Include the intermediate chain file |
Key Difference: 525 vs 526
| Error | Handshake | Certificate | Problem Layer |
|---|---|---|---|
| 525 | Fails | N/A | Connection or listener config |
| 526 | Succeeds | Invalid | Certificate trust or hostname |
Diagnostic Steps
Step 1: Check What Certificate Is Being Served
# Connect and show the certificate details
openssl s_client -connect localhost:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -subject -issuer -dates
# Look for:
# - subject: CN = example.com (must match your domain)
# - issuer: should be Cloudflare Origin CA, Let's Encrypt, or a known CA
# - notAfter: must be in the future
Step 2: Verify Domain Coverage
# Check all Subject Alternative Names (SANs)
openssl x509 -in /path/to/cert.pem -noout -text | grep -A1 "Subject Alternative Name"
# The cert must cover your exact domain:
# - example.com
# - *.example.com (if using wildcard)
Step 3: Check Certificate Chain
# Verify the full chain
openssl verify -CAfile /path/to/ca-bundle.pem /path/to/cert.pem
If you are using Cloudflare Origin CA certificates, the chain is trusted only by Cloudflare — this is expected and correct for Full (Strict) mode.
Step 4: Confirm Cloudflare SSL Mode
In the Cloudflare dashboard:
- Go to SSL/TLS → Overview
- Confirm the mode is Full (Strict)
- If you are using a self-signed cert, you must switch to Full (not Strict) or replace the certificate
Fix Options
| Situation | Recommended Fix |
|---|---|
| No valid certificate | Generate a Cloudflare Origin CA cert |
| Self-signed certificate | Replace with Cloudflare Origin CA or Let's Encrypt |
| Wrong hostname on cert | Re-issue the cert with the correct domain(s) |
| Expired certificate | Renew and upload the new cert |
| Missing CA bundle | Download and concatenate the intermediate cert |
Generating a Cloudflare Origin Certificate
- Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate
- Select RSA or ECDSA
- Add hostnames:
example.comand*.example.com - Choose certificate validity (15 years is fine for origin-only certs)
- Copy the certificate and private key
- Save them on your server:
sudo nano /etc/ssl/certs/cloudflare-origin.pem # paste certificate
sudo nano /etc/ssl/private/cloudflare-origin.key # paste private key
# Lock down the private key
sudo chmod 600 /etc/ssl/private/cloudflare-origin.key
- Configure the SSL listener in WebAdmin to use these paths
- Graceful reload:
sudo /usr/local/lsws/bin/lswsctrl restart
info
Cloudflare Origin CA certificates are only trusted by Cloudflare. They will show as "untrusted" if you access the server directly. This is by design.
Key Takeaways
- 526 means certificate trust failed — the handshake worked but Cloudflare cannot validate the cert.
- Use Cloudflare Origin CA certificates for the simplest Full (Strict) setup.
- Verify the certificate subject, SANs, expiry, and issuer with
openssl. - Self-signed certificates require downgrading to Full mode (not recommended for production).
What's Next
- Continue to Certificate Mismatch for diagnosing SNI and listener mapping issues.