Skip to content

Cloudflare troubleshooting

Cloudflare Error 526: Invalid SSL Certificate

Cloudflare reached your origin, but the certificate it received did not validate. Here are the four common causes, how to fix each one in minutes, and how to make sure you never see 526 because of an expired origin certificate again.

Monitor my origin certificate

What does error 526 actually mean?

Error 526 is a Cloudflare-generated response, not an error returned by your origin. Cloudflare connected to the origin server, but when it tried to validate the TLS certificate the origin presented, validation failed. The most common reason is that the origin certificate is expired. The other reasons are a hostname mismatch, a self-signed certificate, or a certificate signed by a Certificate Authority Cloudflare does not trust under Full (strict) mode.

Switching SSL/TLS encryption mode from Full (strict) to Full in the Cloudflare dashboard will usually make 526 go away, but it also disables certificate validation between Cloudflare and your origin. Treat that as a temporary mitigation, not a fix.

Diagnose in 30 seconds

Run this from any machine that can reach your origin directly (bypass Cloudflare):

echo | openssl s_client -servername your-origin.example.com -connect your-origin.example.com:443 2>/dev/null | openssl x509 -noout -dates -subject -issuer

Check three things: notAfter (is it in the past?), subject / SAN (does it include the hostname Cloudflare connects to?), and issuer (is it a public CA, or self-signed?). The output usually points straight at the cause.

The four causes and how to fix each

1. Origin certificate is expired

This is the most common cause. notAfter is in the past, the renewal cron never ran, or the certbot hook failed silently. Renew the certificate (sudo certbot renew --force-renewal on Let's Encrypt setups), restart the web server, and confirm with openssl s_client that the new expiry is in the future. Cloudflare will start accepting the origin again within seconds — there is nothing to purge.

2. Hostname mismatch (SAN does not include the hostname)

Cloudflare connects to your origin using the hostname configured for the zone, often the same as the public hostname. If the origin certificate is issued for www.example.com but Cloudflare connects to origin.example.com, validation fails. Either reissue the certificate with the origin hostname in the Subject Alternative Name list, use a wildcard certificate that covers it, or point Cloudflare at the hostname that is already covered.

3. Self-signed certificate

Under Full (strict) Cloudflare rejects self-signed certificates. The easiest fix is a free Cloudflare Origin CA certificate (Dashboard → SSL/TLS → Origin Server). Cloudflare's edge trusts Origin CA automatically, the cert is valid for up to 15 years, and it never leaves your zone. Public CAs like Let's Encrypt also work and have the advantage of being valid for non-Cloudflare clients too.

4. Untrusted CA

If the certificate is signed by an internal CA, a private PKI, or a CA Cloudflare's edge has not added to its trust store, Full (strict) treats it the same as self-signed. Replace it with an Origin CA certificate, a Let's Encrypt certificate, or a commercial certificate from a well-known CA.

Why you keep seeing 526 even after fixing it

  • You forgot to reload the web server. Nginx and Apache cache the previous certificate until they reload. Run sudo systemctl reload nginx (or apachectl graceful) after renewal.
  • Multiple origins behind a load balancer. Each origin needs the new certificate. One stale node will produce intermittent 526s that come and go.
  • Authenticated Origin Pulls is enabled but the client certificate at the origin is wrong. Check both directions, not just the server cert.
  • The wrong certificate is bound in cPanel/Plesk/IIS. Some panels keep the old certificate active even after a new one is uploaded.

Prevent the next 526 before it happens

The most embarrassing version of 526 is the one caused by an origin certificate that simply ran out. Renewal cron jobs fail quietly. Webroot permissions change. ACME challenges break after a config update. The result is always the same: a clean origin, no application errors, and a site that is offline for everyone because Cloudflare refuses to talk to it.

Certimon is a free Telegram bot that checks SSL certificates externally and pings you before they expire. Add your origin hostname (or the public hostname Cloudflare uses, depending on your setup) and get a reminder 30 days out — well before Cloudflare ever returns 526.

Open @CertimonBot on Telegram and send:

/remind your-origin.example.com 30

Free forever. No registration. No agent on your origin. Learn more or check the SSL expiry checker guide.

FAQ

What does Cloudflare error 526 mean?

Cloudflare connected to your origin server but could not validate its SSL certificate. The certificate is expired, has the wrong hostname, is self-signed, or is signed by a CA Cloudflare does not trust under Full (strict) mode.

How do I fix Cloudflare error 526?

Run openssl s_client against the origin to identify which of the four causes applies (expired, hostname mismatch, self-signed, untrusted CA), then renew or replace the certificate accordingly. Switching to Full instead of Full (strict) hides the problem but is not a fix.

Why am I getting 526 only on one subdomain?

The origin certificate probably does not cover that subdomain in its Subject Alternative Name list. Reissue with the missing hostname or use a wildcard certificate.

Does Cloudflare Full (strict) require a publicly trusted certificate?

It requires either a certificate from a publicly trusted CA or a Cloudflare Origin CA certificate. Self-signed certificates always fail.

How can I be warned before my origin certificate causes a 526?

Send /remind your-origin.example.com 30 to @CertimonBot on Telegram. You will be reminded 30 days before expiry, long before Cloudflare starts rejecting the certificate.