SSL Troubleshooting Guide
How to Fix Cloudflare Error 526 (Invalid SSL Certificate)
Invalid SSL certificate (Error 526) appears when Cloudflare connects to your origin over HTTPS but cannot validate the certificate your origin presents. Under Full (strict) SSL mode, Cloudflare requires a trusted, hostname-matching certificate on the origin. If validation fails, visitors see Error 526.
Error 526 is more specific than Error 525. With 526, a handshake often starts, but the certificate itself is rejected: expired, self-signed (when strict mode disallows it), wrong hostname, or incomplete chain.
What causes Cloudflare Error 526?
- Expired origin certificate
- Hostname mismatch (cert issued for
www.example.combut origin answers asexample.com, or reverse) - Self-signed or untrusted certificate while Cloudflare is set to Full (strict)
- Missing intermediate certificates on the origin (incomplete chain)
- Cloudflare connecting to wrong origin hostname (DNS or load balancer pointing elsewhere)
Step 1: Check Cloudflare SSL/TLS encryption mode
Go to SSL/TLS → Overview in the Cloudflare dashboard.
- Full (strict) is the most common context for 526. Origin must present a publicly trusted cert that matches the host.
- Full allows self-signed origin certificates. Switching from strict to Full can be a temporary workaround, but fixing the origin cert is the right long-term fix.
- Flexible does not validate origin HTTPS the same way; 526 is uncommon in Flexible mode.
We recommend fixing the certificate rather than permanently downgrading strict mode. Strict mode exists to prevent downgrade attacks between Cloudflare and your server.
Step 2: Inspect the origin certificate
From a terminal (or use an SSL checker that tests the origin directly):
openssl s_client -connect yourdomain.com:443 -servername yourdomain.comCheck:
notAfterdate is in the futuresubjector Subject Alternative Names include the hostname Cloudflare uses- Chain includes intermediates (not only the leaf certificate)
Our chain validation and certificate chain glossary pages explain what a complete chain looks like.
Step 3: Fix hostname and SAN coverage
Cloudflare typically connects to the hostname in your DNS record. If your cert only covers www but the A record points the apex to origin, or vice versa, you can see 526.
Fix options:
- Re-issue the certificate to include all hostnames you serve (apex +
www, or use a wildcard) - Align DNS so Cloudflare connects using a hostname the cert already covers
- Use Cloudflare CNAME setup consistently across subdomains
Step 4: Install the full certificate chain on origin
Many panels let you upload "certificate + private key" only. Browsers sometimes tolerate missing intermediates; Cloudflare in strict mode often will not.
Download the full chain from your CA (Let's Encrypt, commercial CA, etc.) and configure:
- nginx:
ssl_certificate(full chain file) +ssl_certificate_key - Apache:
SSLCertificateFile+SSLCertificateChainFile(or combined fullchain)
Reload the web server after installation.
Step 5: Renew and verify after changes
After renewal or re-issue:
- Confirm files on disk updated
- Reload nginx/Apache
- Re-test with
openssl s_client - Confirm Cloudflare orange-cloud proxy still enabled and SSL mode unchanged
Silent renewal failures are common: the panel shows renewed, the live site still serves the old cert. That is exactly the scenario SSL monitoring, expiry reminders, and status change alerts are built for.
FAQ
Should I switch from Full (strict) to Full to fix 526?
Only as a short-term emergency. Full (strict) protects the Cloudflare-to-origin hop. Fix the origin certificate instead.
Can Let's Encrypt on the origin fix 526?
Yes, if the cert is valid, trusted, includes the right hostnames, and the full chain is installed. Let's Encrypt is fine for Cloudflare origins.
526 vs browser "Your connection is not private"
Browser warnings are visitor-to-edge or visitor-to-origin depending on setup. Error 526 is Cloudflare's report about origin validation behind the proxy.