How is 526 different from 525?

525 means the TLS handshake between Cloudflare and your origin never completed — no certificate, port 443 closed, or an incompatible TLS version. 526 means the handshake completed fine, but Cloudflare refused to trust the certificate the origin presented: expired, self-signed, missing intermediates, or wrong hostname. 525 is a connection failure; 526 is a trust failure.

Did my visitors see a certificate warning?

No. The browser-to-Cloudflare leg uses Cloudflare's own certificate and is unaffected. 526 happens on the back-end leg, between Cloudflare and your origin, in Full (Strict) mode. Visitors see Cloudflare's error page, never the origin's certificate.

Will switching from Full (Strict) to Full fix it?

It makes the error disappear, because Full encrypts the origin connection but does not validate the certificate at all. The traffic is still encrypted, but Cloudflare will trust an expired or forged origin certificate. Use it only as a brief stopgap, then fix the certificate and return to Full (Strict).

Views: 13

526 Invalid SSL Certificate (Cloudflare) Fix

Cloudflare Error 526 means your origin cert failed validation under Full (Strict). Fix it in 3 checks: chain, expiry, hostname. Free instant check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

Cloudflare returns Error 526: Invalid SSL Certificate. Cloudflare reached your origin and completed the TLS handshake, but under Full (Strict) mode it validated the origin certificate and rejected it.

Symptoms

Cloudflare’s branded error page shows Error 526.
The site uses SSL/TLS mode Full (Strict) (526 does not occur in Full or Flexible, which skip origin validation).
The browser-to-Cloudflare connection looks healthy; only the page content fails to load.

Top 3 Causes

The origin certificate is expired, not yet valid, or revoked - Full (Strict) checks validity dates and revocation. A lapsed Let’s Encrypt renewal or a clock-skewed “not yet valid” certificate fails the check immediately.
The certificate is untrusted or the chain is incomplete - A self-signed certificate, one issued by an internal/private CA, or a leaf served without its intermediate certificates cannot be validated against Cloudflare’s trust store. Missing intermediates are the single most common cause.
The hostname does not match - The certificate’s Common Name and Subject Alternative Names do not cover the hostname Cloudflare connects to. A certificate for www.example.com served on an origin Cloudflare reaches as example.com fails validation.

Diagnose with DechoNet

SSL Check against your origin hostname or IP to read the certificate’s expiry, issuer, chain, and the names it covers.
Port Check to confirm port 443 is open on the origin, so you know the handshake itself is reachable.

Resolution Checklist

Inspect the origin certificate directly, bypassing Cloudflare: openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com. Read the Verify return code line — anything other than 0 (ok) names the exact failure (expired, self-signed, unable to get local issuer certificate).
If the chain is incomplete, reinstall the full chain (leaf + intermediates), not just the leaf certificate. Unable to get local issuer certificate means an intermediate is missing.
If the certificate is expired, renew it and fix whatever broke auto-renewal — a 526 from expiry will return on the next cycle otherwise.
For a self-signed or internal-CA certificate, either install a Cloudflare Origin CA certificate (trusted by Full (Strict), valid up to 15 years) or upload your CA to the Custom Origin Trust Store.
Confirm the certificate’s SAN list includes the exact hostname Cloudflare connects to.
Re-run SSL Check against the origin to confirm validation passes, then reload the site.

When to Escalate

If a managed platform (Azure App Service, managed load balancers, some PaaS hosts) controls the origin certificate and you cannot replace it, escalate to that provider rather than fighting the dashboard.
If validation passes locally but Cloudflare still returns 526, confirm Cloudflare is reaching the origin you tested — a stale or load-balanced A record can point it at a different, misconfigured backend.