FixPedia
Other 526High

Cloudflare Error 526: Fixing Invalid SSL Certificate

The article explains the cause of error 526 in Cloudflare and provides step-by-step instructions to fix the SSL certificate on the origin server to restore site access.

Updated at March 23, 2026
15-30 minutes
Medium
FixPedia Team
Применимо к:CloudflareNginx 1.10+Apache 2.4+

What Error 526 Means

Cloudflare returns a 526 Invalid SSL Certificate error when it cannot validate the SSL certificate of your origin server (the server behind Cloudflare). This error occurs only when using the Full or Full (strict) SSL modes, where Cloudflare requires a valid certificate on the origin side.

Diagram of Cloudflare and origin server interaction during SSL certificate validation

Diagram of Cloudflare and origin server interaction during SSL certificate validation

Common Causes

  1. An expired SSL certificate on the origin server.
  2. A self-signed certificate that is not trusted by Cloudflare.
  3. A certificate issued for a different domain or subdomain.
  4. Incorrect SSL configuration, such as missing intermediate certificates.
  5. No SSL certificate present on the origin server while using Full/Full (strict) modes.
  6. Use of outdated ciphers or protocols incompatible with Cloudflare.

Resolution Steps

Verify Your SSL Mode in Cloudflare

Ensure your Cloudflare dashboard (SSL/TLS → Overview) is set to Full or Full (strict). The Flexible mode does not trigger a 526 error because it does not validate the origin's SSL, but it is insecure.

Cloudflare interface for selecting SSL mode: Full, Full (strict), Flexible

Cloudflare interface for selecting SSL mode: Full, Full (strict), Flexible

Diagnose the Origin Server's SSL Certificate

Connect to your server via SSH and run:

openssl s_client -connect your-server:443 -servername your-domain | openssl x509 -noout -dates -subject -issuer
Terminal output of the openssl s_client command for checking an SSL certificate

Terminal output of the openssl s_client command for checking an SSL certificate

Review the output:

  • The notBefore and notAfter dates should be valid.
  • The subject field must contain your domain (e.g., CN=example.com).
  • The issuer should be a trusted authority (Let's Encrypt, DigiCert, etc.).
  • Intermediate certificates should be present in the output (the chain is complete).

If the certificate is invalid, proceed to install a new one.

Install a New SSL Certificate (Let's Encrypt)

For Nginx:

sudo apt update && sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain

Follow the wizard's instructions. Test automatic renewal:

sudo certbot renew --dry-run

For Apache:

sudo apt update && sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d your-domain

After installation, restart your web server:

sudo systemctl restart nginx   # for Nginx
sudo systemctl restart apache2 # for Apache

For quick access restoration, temporarily change your Cloudflare SSL mode to Flexible. This bypasses certificate validation, but the connection between Cloudflare and your server becomes unencrypted.

⚠️ Important: Flexible mode reduces security. Switch back to Full or Full (strict) immediately after fixing the certificate.

Check and Install Intermediate Certificates

If your certificate is valid but error 526 persists, the issue may be with the certificate chain.

  1. Obtain the full chain from your certificate authority (typically includes the root and intermediate certificates).
  2. For Nginx: In your SSL configuration, point to the file containing the full chain (e.g., fullchain.pem from Let's Encrypt): 
    ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
  3. For Apache: Use SSLCertificateFile for your certificate and SSLCertificateChainFile for intermediates (or combine them into a single file).
  4. Restart your web server and verify the chain using the SSL Labs SSL Test.

Final Steps

After making any changes to your SSL configuration, purge your Cloudflare cache: go to Cache → Configuration in your dashboard and click 'Purge Everything'. This forces Cloudflare to re-validate your origin server's SSL certificate.

Prevention

  • Regularly check certificate expiration dates (monthly). Use monitoring (Nagios, Zabbix) or online services.
  • Configure automatic renewal for Let's Encrypt via certbot (it adds a cron job during installation).
  • Always use Full (strict) mode in Cloudflare for maximum security.
  • Check your certificate chain with SSL Labs quarterly.
  • Keep your web server and OpenSSL libraries updated to support modern ciphers.
  • Enable SSL problem notifications from Cloudflare (Dashboard: Notifications).

F.A.Q.

Why does error 526 occur in Cloudflare?
How to prevent error 526 from occurring?
Can I temporarily disable SSL on the origin server while using Cloudflare?

Hints

Check SSL mode in Cloudflare
Check SSL certificate on origin server
Install or update SSL certificate
Restart the web server
Clear Cloudflare cache

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community