HTTP 526 Invalid SSL Certificate — Cloudflare Origin Certificate Validation Failed
About HTTP 526 Invalid SSL Certificate
Fix Cloudflare HTTP 526 error when the origin server presents an invalid, expired, or untrusted SSL certificate in Full (Strict) mode. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: HTTP 526 occurs only in Full (Strict) SSL mode when Cloudflare cannot validate the origin SSL certificate. Full (Strict) requires the origin to have a certificate signed by a trusted CA or Cloudflare Origin CA. The certificate must match the origin hostname, not be expired, and have a valid certificate chain. Self-signed certificates are not accepted in Full (Strict) mode — use Full mode or get a proper certificate. This is different from 525 (handshake failed) — 526 means the handshake completed but the certificate is invalid. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Origin SSL certificate has expired and was not renewed. Certificate common name or SAN does not match the origin hostname. Self-signed certificate used with Full (Strict) SSL mode. Incomplete certificate chain — intermediate CA certificates not installed on origin. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check certificate validity: openssl s_client -connect origin:443 | openssl x509 -noout -dates. Renew the SSL certificate if expired — use Let's Encrypt certbot for free auto-renewal. Install a Cloudflare Origin CA certificate which is always trusted by Cloudflare's edge. Ensure the full certificate chain is installed: server cert + intermediate cert + root cert. Verify the certificate covers the correct hostname: openssl x509 -in cert.pem -noout -text | grep DNS. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Can I use a Let's Encrypt certificate with Full (Strict)?
Yes. Let's Encrypt certificates are trusted by Cloudflare. Install certbot on your origin server with auto-renewal, and Full (Strict) mode will work perfectly.
Overview
Fix Cloudflare HTTP 526 error when the origin server presents an invalid, expired, or untrusted SSL certificate in Full (Strict) mode.
Key Details
- HTTP 526 occurs only in Full (Strict) SSL mode when Cloudflare cannot validate the origin SSL certificate
- Full (Strict) requires the origin to have a certificate signed by a trusted CA or Cloudflare Origin CA
- The certificate must match the origin hostname, not be expired, and have a valid certificate chain
- Self-signed certificates are not accepted in Full (Strict) mode — use Full mode or get a proper certificate
- This is different from 525 (handshake failed) — 526 means the handshake completed but the certificate is invalid
Common Causes
- Origin SSL certificate has expired and was not renewed
- Certificate common name or SAN does not match the origin hostname
- Self-signed certificate used with Full (Strict) SSL mode
- Incomplete certificate chain — intermediate CA certificates not installed on origin
Steps
- 1Check certificate validity: openssl s_client -connect origin:443 | openssl x509 -noout -dates
- 2Renew the SSL certificate if expired — use Let's Encrypt certbot for free auto-renewal
- 3Install a Cloudflare Origin CA certificate which is always trusted by Cloudflare's edge
- 4Ensure the full certificate chain is installed: server cert + intermediate cert + root cert
- 5Verify the certificate covers the correct hostname: openssl x509 -in cert.pem -noout -text | grep DNS