HTTP 526 Invalid SSL Certificate — Cloudflare Origin Certificate Validation Failed

Overview

Fix Cloudflare HTTP 526 error when the origin server presents an invalid, expired, or untrusted SSL certificate in Full (Strict) mode.

Key Details

• HTTP 526 occurs only in Full (Strict) SSL mode when Cloudflare cannot validate the origin SSL certificate
• Full (Strict) requires the origin to have a certificate signed by a trusted CA or Cloudflare Origin CA
• The certificate must match the origin hostname, not be expired, and have a valid certificate chain
• Self-signed certificates are not accepted in Full (Strict) mode — use Full mode or get a proper certificate
• This is different from 525 (handshake failed) — 526 means the handshake completed but the certificate is invalid

Common Causes

• Origin SSL certificate has expired and was not renewed
• Certificate common name or SAN does not match the origin hostname
• Self-signed certificate used with Full (Strict) SSL mode
• Incomplete certificate chain — intermediate CA certificates not installed on origin

Steps

1. 1Check certificate validity: openssl s_client -connect origin:443 | openssl x509 -noout -dates
2. 2Renew the SSL certificate if expired — use Let's Encrypt certbot for free auto-renewal
3. 3Install a Cloudflare Origin CA certificate which is always trusted by Cloudflare's edge
4. 4Ensure the full certificate chain is installed: server cert + intermediate cert + root cert
5. 5Verify the certificate covers the correct hostname: openssl x509 -in cert.pem -noout -text | grep DNS

Tags

Related Items

More in 5xx Server Error

Frequently Asked Questions