SSL Troubleshooting Guide

How to Fix Cloudflare Error 526 (Invalid SSL Certificate)

Cloudflare Error 526 means your origin presented a certificate Cloudflare cannot trust, often under Full (strict) mode. Learn how to fix expiry, hostname mismatch, and incomplete chains on your origin server.

Invalid SSL certificate (Error 526) appears when Cloudflare connects to your origin over HTTPS but cannot validate the certificate your origin presents. Under Full (strict) SSL mode, Cloudflare requires a trusted, hostname-matching certificate on the origin. If validation fails, visitors see Error 526.

Error 526 is more specific than Error 525. With 526, a handshake often starts, but the certificate itself is rejected: expired, self-signed (when strict mode disallows it), wrong hostname, or incomplete chain.

What causes Cloudflare Error 526?

Step 1: Check Cloudflare SSL/TLS encryption mode

Go to SSL/TLSOverview in the Cloudflare dashboard.

  • Full (strict) is the most common context for 526. Origin must present a publicly trusted cert that matches the host.
  • Full allows self-signed origin certificates. Switching from strict to Full can be a temporary workaround, but fixing the origin cert is the right long-term fix.
  • Flexible does not validate origin HTTPS the same way; 526 is uncommon in Flexible mode.

We recommend fixing the certificate rather than permanently downgrading strict mode. Strict mode exists to prevent downgrade attacks between Cloudflare and your server.

Step 2: Inspect the origin certificate

From a terminal (or use an SSL checker that tests the origin directly):

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Check:

  • notAfter date is in the future
  • subject or Subject Alternative Names include the hostname Cloudflare uses
  • Chain includes intermediates (not only the leaf certificate)

Our chain validation and certificate chain glossary pages explain what a complete chain looks like.

Step 3: Fix hostname and SAN coverage

Cloudflare typically connects to the hostname in your DNS record. If your cert only covers www but the A record points the apex to origin, or vice versa, you can see 526.

Fix options:

  • Re-issue the certificate to include all hostnames you serve (apex + www, or use a wildcard)
  • Align DNS so Cloudflare connects using a hostname the cert already covers
  • Use Cloudflare CNAME setup consistently across subdomains

Step 4: Install the full certificate chain on origin

Many panels let you upload "certificate + private key" only. Browsers sometimes tolerate missing intermediates; Cloudflare in strict mode often will not.

Download the full chain from your CA (Let's Encrypt, commercial CA, etc.) and configure:

  • nginx: ssl_certificate (full chain file) + ssl_certificate_key
  • Apache: SSLCertificateFile + SSLCertificateChainFile (or combined fullchain)

Reload the web server after installation.

Step 5: Renew and verify after changes

After renewal or re-issue:

  1. Confirm files on disk updated
  2. Reload nginx/Apache
  3. Re-test with openssl s_client
  4. Confirm Cloudflare orange-cloud proxy still enabled and SSL mode unchanged

Silent renewal failures are common: the panel shows renewed, the live site still serves the old cert. That is exactly the scenario SSL monitoring, expiry reminders, and status change alerts are built for.

FAQ

Should I switch from Full (strict) to Full to fix 526?

Only as a short-term emergency. Full (strict) protects the Cloudflare-to-origin hop. Fix the origin certificate instead.

Can Let's Encrypt on the origin fix 526?

Yes, if the cert is valid, trusted, includes the right hostnames, and the full chain is installed. Let's Encrypt is fine for Cloudflare origins.

526 vs browser "Your connection is not private"

Browser warnings are visitor-to-edge or visitor-to-origin depending on setup. Error 526 is Cloudflare's report about origin validation behind the proxy.

Start Monitoring With Confidence

Monitor every SSL certificate in your portfolio with intelligent alerts, renewal confirmation, and complete visibility across every site.