SSL Certificate Error Code 526: Causes and Fixes
Cloudflare error 526 means the origin SSL certificate is invalid. Learn what causes it, how to diagnose it, and how to fix it step by step.
You're seeing a Cloudflare error 526 page. Your site is down for visitors, and the error message says something about an invalid SSL certificate. This is one of the most common Cloudflare errors, and it's almost always fixable in under an hour.
Here's what's happening and how to resolve it.
What Error 526 Means
Error 526 is a Cloudflare-specific HTTP error. It means Cloudflare tried to connect to your origin server over HTTPS, but the SSL certificate on your origin server failed validation.
The full error reads: "Error 526: Invalid SSL certificate."
This only happens when your Cloudflare SSL/TLS encryption mode is set to Full (Strict). In this mode, Cloudflare requires a valid, trusted SSL certificate on your origin server. If the certificate is expired, self-signed, misconfigured, or missing, Cloudflare refuses to complete the connection and shows error 526 to your visitors.
The important thing to understand: the problem is not between your visitors and Cloudflare. That connection is fine. The problem is between Cloudflare and your origin server.
Visitor --[HTTPS OK]--> Cloudflare --[HTTPS FAILS]--> Origin Server
^ Error 526
Common Causes of Error 526
There are five things that typically trigger this error. In order of how often they come up:
Expired SSL Certificate on the Origin
The most frequent cause. Your origin server's SSL certificate has passed its expiry date. Cloudflare checks the notAfter date when connecting to your origin, and if it's in the past, the connection is rejected.
This happens when auto-renewal fails silently, when a manual renewal gets forgotten, or when a certificate was provisioned as a temporary fix and never replaced.
Self-Signed Certificate
If your origin server uses a self-signed certificate and your Cloudflare SSL mode is set to Full (Strict), Cloudflare won't trust it. Self-signed certificates are not issued by a certificate authority (CA) that's in Cloudflare's trust store.
Note: if your SSL mode is set to just Full (not Strict), Cloudflare will accept a self-signed certificate. But Full (Strict) requires a valid certificate from a trusted CA or a Cloudflare Origin CA certificate.
Missing Intermediate Certificate
Your origin server has a valid leaf certificate, but the intermediate certificate(s) are not installed. Cloudflare cannot build a complete chain of trust back to a trusted root CA, so validation fails.
This is a sneaky one because your site might work fine when you visit it directly in Chrome (Chrome caches intermediates), but Cloudflare's connection to your origin fails because it doesn't have those cached intermediates.
Certificate Doesn't Match the Domain
The SSL certificate on your origin server is valid and not expired, but it was issued for a different domain. If your origin hostname is origin.example.com and the certificate only covers example.com and www.example.com, the validation fails.
This also happens when wildcard certificates are misconfigured. A *.example.com wildcard covers www.example.com and api.example.com, but it does not cover example.com itself or multi-level subdomains like sub.api.example.com.
Wrong DNS or Server Configuration
Your DNS records in Cloudflare point to the wrong server, or the server at that IP address is serving a certificate for a completely different domain. This can happen after a server migration or IP address change.
How to Diagnose the Problem
Before jumping into fixes, figure out which specific cause you're dealing with. Run these checks from a machine that can reach your origin server directly (not through Cloudflare).
Step 1: Find Your Origin Server IP
If your DNS is proxied through Cloudflare (orange cloud), you need to know your actual origin IP. Check your Cloudflare DNS settings or your hosting provider's dashboard.
Step 2: Check the Origin Certificate
Connect directly to your origin and inspect the certificate:
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -text
Replace YOUR_ORIGIN_IP with your server's actual IP address. This shows you the full certificate details. Look at:
- Validity period: Is
Not Afterin the past? - Subject/SANs: Does the certificate cover your domain?
- Issuer: Is it issued by a trusted CA, or does it say the issuer is the same as the subject (self-signed)?
Step 3: Check the Certificate Chain
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com </dev/null 2>/dev/null
Look at the output for the certificate chain and the Verify return code at the bottom. A code of 0 (ok) means the chain is valid. Anything else indicates a problem:
10 (certificate has expired)-- expired certificate18 (self-signed certificate)-- self-signed21 (unable to verify the first certificate)-- missing intermediate62 (hostname mismatch)-- wrong domain
Step 4: Verify DNS Points to the Right Server
Check that your Cloudflare DNS records point to the correct origin. You can also verify what DNS currently resolves to by checking the DNS records for your domain to confirm everything points where it should.
How to Fix Error 526
Once you know the cause, here's how to fix each one.
Fix 1: Renew an Expired Certificate
Renew the certificate
For Let's Encrypt:
sudo certbot renew --force-renewal
For a commercial CA, log into your CA's portal and reissue or renew the certificate.
Install the renewed certificate
Replace the old certificate files on your server and restart the web server:
sudo systemctl restart nginx
# or
sudo systemctl restart apache2
Verify
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -dates
Confirm notAfter is now in the future.
Fix 2: Replace a Self-Signed Certificate
You have two options:
Option A: Use a Cloudflare Origin CA certificate. This is the easiest path if you're using Cloudflare. In your Cloudflare dashboard, go to SSL/TLS > Origin Server > Create Certificate. Cloudflare will generate a certificate that's trusted by Cloudflare's edge servers. Install it on your origin.
# Typical Nginx config with Cloudflare Origin CA cert
ssl_certificate /etc/ssl/cloudflare-origin.pem;
ssl_certificate_key /etc/ssl/cloudflare-origin-key.pem;
Note: Cloudflare Origin CA certificates are only trusted by Cloudflare. If you need the origin to be accessible directly (not through Cloudflare), use a publicly trusted certificate instead.
Option B: Use Let's Encrypt. Install a free, publicly trusted certificate:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Fix 3: Install Missing Intermediate Certificates
Download the intermediate certificate from your CA's documentation. Then concatenate it with your leaf certificate:
cat yourdomain.crt intermediate.crt > fullchain.crt
Update your web server configuration to use the full chain file:
Nginx:
ssl_certificate /etc/ssl/fullchain.crt;
ssl_certificate_key /etc/ssl/yourdomain.key;
Apache:
SSLCertificateFile /etc/ssl/fullchain.crt
SSLCertificateKeyFile /etc/ssl/yourdomain.key
Restart your web server and verify the chain is complete:
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com </dev/null 2>/dev/null | grep "Verify return code"
# Should output: Verify return code: 0 (ok)
For a deeper look at how certificate chains work and how to debug them, see the SSL certificate chain explainer.
Fix 4: Fix a Domain Mismatch
Reissue your certificate with the correct domain names. Make sure to include all domains and subdomains that Cloudflare might connect to on your origin.
If you use Let's Encrypt:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d origin.yourdomain.com
If you use a Cloudflare Origin CA certificate, make sure the hostnames listed when you created the certificate match the domain Cloudflare connects to.
Fix 5: Downgrade to Full Mode (Not Recommended)
As a temporary workaround, you can change your Cloudflare SSL/TLS encryption mode from Full (Strict) to Full. This tells Cloudflare to accept any certificate on the origin, including self-signed and expired certificates.
This gets your site back online quickly, but it weakens security. Anyone who can intercept traffic between Cloudflare and your origin could present a fake certificate. Use this only as a stopgap while you fix the real problem.
Don't leave Full mode as a permanent fix
Full (Strict) mode exists for a reason. It ensures the connection between Cloudflare and your origin is genuinely authenticated. Downgrading to Full removes that protection. Fix the certificate and switch back to Full (Strict).
Verifying the Fix
After applying your fix, confirm that error 526 is resolved:
-
Test the origin directly with
openssl s_clientas shown above. Verify return code should be0 (ok). -
Purge Cloudflare cache. Go to Caching > Configuration > Purge Everything in your Cloudflare dashboard. Cloudflare may have cached the error page.
-
Check your site. Visit your site in an incognito browser window to avoid local caching issues.
-
Check the SSL certificate details from your browser or with a certificate checking tool to confirm the new certificate is being served.
-
Monitor going forward. Set up certificate monitoring to alert you before the origin certificate expires again. You can check SSL expiration dates on a schedule, or better yet, automate it.
Error 526 vs. Other Cloudflare SSL Errors
Cloudflare has several SSL-related error codes. Here's how they differ:
| Error Code | Meaning | Likely Cause |
|---|---|---|
| 521 | Web server is down | Origin server is offline or blocking Cloudflare IPs |
| 522 | Connection timed out | Origin server is slow or unreachable |
| 525 | SSL handshake failed | SSL not configured on origin, or protocol mismatch |
| 526 | Invalid SSL certificate | Expired, self-signed, wrong domain, or incomplete chain |
If you're seeing 525 instead of 526, the problem is usually that SSL isn't configured on your origin at all, or there's a TLS protocol version mismatch. Error 526 specifically means SSL is configured but the certificate itself is invalid.
Preventing Error 526
The best way to avoid error 526 is to never let your origin certificate become invalid in the first place:
- Use Cloudflare Origin CA certificates with a 15-year validity period if your origin is always behind Cloudflare
- Set up certificate expiry monitoring so you know weeks before a certificate expires
- Automate renewal with Certbot or your hosting provider's auto-renewal feature
- Test after every server change -- migrations, IP changes, and config updates can all break SSL
For a broader overview of SSL/TLS and how certificates work, the SSL/TLS guide covers the fundamentals. And if you're dealing with other SSL errors beyond 526, the SSL errors troubleshooting guide walks through every common error type.
References
- Cloudflare Support - Error 526: Invalid SSL certificate
- Cloudflare - SSL/TLS Encryption Modes
- Cloudflare - Origin CA certificates
Catch certificate problems before Cloudflare does
Monitor your origin SSL certificates and get alerts before they expire or misconfigure.
Related Articles
Error 526 is fixable. The certificate on your origin just needs to be valid, trusted, and covering the right domain.
Never miss an SSL certificate expiry
Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.
Try SSL Certificate Expiry