HTTP 526 · Cloudflare

Cloudflare Error 526: Invalid SSL Certificate

A 526 means Cloudflare reached your origin over HTTPS and the handshake completed, but the certificate it found didn't pass validation. The connection got further than a 525; the failure is the certificate itself, not the negotiation. It only happens in Full (Strict) mode.

Quick answer

Your origin's certificate is expired, self-signed, missing intermediate certificates, revoked, or doesn't match the hostname. Under Full (Strict), Cloudflare rejects all of these. Replace it with a certificate from a trusted CA, or install a free Cloudflare Origin CA certificate, which Full (Strict) trusts by default.

Whose fault is it

Your origin cert
yes
Cloudflare
validating
The visitor
no

The invalid certificate lives on your origin. Cloudflare is doing its job: in Full (Strict) mode it validates the origin certificate and refuses to trust one that's expired, untrusted, or wrong. Changing your IP or browser won't fix it; the cert is the problem.

525 versus 526, since they're constantly confused

Both involve HTTPS between Cloudflare and your origin, but they fail at different points. A 525 means the TLS handshake itself couldn't complete: no shared cipher, no certificate at all, port 443 closed. A 526 means the handshake succeeded, Cloudflare inspected the certificate your origin presented, and rejected it as invalid. With a 525, Cloudflare never got to see a usable certificate. With a 526, it saw one and didn't trust it.

A 526 is specific to Full (Strict) mode. In plain Full mode, Cloudflare accepts any certificate regardless of validity, so a 526 can't occur there; you'd only have handshake-level failures.

The common causes, most likely first

  1. The certificate is expired The most common cause by far, and the most avoidable. SSL certificates have a fixed lifespan, and if renewal didn't happen (a failed cron, a lapsed Let's Encrypt auto-renew, a forgotten manual cert), the cert expires and Full (Strict) rejects it instantly. Check the expiry date and renew.
  2. The certificate is self-signed A self-signed certificate isn't issued by a trusted authority, so Full (Strict) won't accept it. This is the classic trap: someone enables Full (Strict) on a server that's only ever had a self-signed cert. Either install a trusted certificate or, simplest, use a Cloudflare Origin CA cert.
  3. Missing intermediate certificates The certificate is valid but the chain is incomplete: the server presents the leaf certificate without the intermediate(s) that link it to the trusted root. Some clients tolerate this; Cloudflare's strict validation doesn't. Reinstall the full chain (fullchain, not just the cert).
  4. A hostname mismatch The certificate's Common Name or Subject Alternative Names don't include the domain Cloudflare is requesting. A cert issued for www.example.com presented for example.com, or a default server cert presented because SNI isn't matching. Cloudflare rejects a cert that doesn't cover the hostname.
  5. The certificate was revoked Less common, but a certificate that's been revoked by its issuer fails validation. If you recently reissued or had a key compromise, the old cert may still be installed and now revoked.

How to diagnose it

  1. Inspect the certificate your origin actually presents, bypassing Cloudflare: openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com. Read the validity dates, the issuer, and the subject. This tells you immediately whether it's expired, self-signed, or for the wrong host.
  2. Check the chain is complete. openssl s_client output shows the certificate chain; a single self-signed cert or a missing intermediate is visible here.
  3. Confirm the hostname is covered: look at the Subject and Subject Alternative Name fields and check your domain is listed.
  4. If everything looks valid to you but Cloudflare still rejects it, the chain order or an intermediate is likely the issue. Reinstall using the full chain file from your CA.

The clean fix

For most people the fastest permanent fix is a Cloudflare Origin CA certificate. Generate it in the dashboard under SSL/TLS, Origin Server, Create Certificate. It's free, valid for up to 15 years, and Cloudflare trusts it by definition, so it satisfies Full (Strict) without any of the expiry, chain, or trust problems that trip up public certificates on the origin leg. Install the cert and key on your server, restart the web server, and the 526 clears. If you'd rather use a public CA, make sure you install the full chain and keep auto-renewal genuinely working, since a silent renewal failure is what produces most 526s in the first place.

Most 526s are an expired certificate nobody was watching

Certificate expiry is the most predictable outage in infrastructure, and still one of the most common. failover.io monitors SSL certificate expiry and warns you 30 days out, escalates at 7, and pages at 1, so a cert never lapses unnoticed. If validation does break, the alert chain runs from email to SMS to a phone call. Free plan: 5 monitors, no card.

Start monitoring free

Other Cloudflare 5xx errors