Introduction

Cloudflare Origin CA certificates are free certificates issued by Cloudflare for securing the connection between Cloudflare's edge and your origin server. Unlike Let's Encrypt certificates, Origin CA certificates are not automatically renewed - they have fixed validity periods (15 years or shorter). When an Origin CA certificate expires, Cloudflare cannot establish a secure connection to the origin, resulting in error 525 (SSL handshake failed) or 526 (Invalid SSL certificate).

Symptoms

  • Cloudflare error 525: SSL handshake failed
  • Cloudflare error 526: Invalid SSL certificate
  • Origin server logs show no incoming requests from Cloudflare
  • openssl x509 -in origin-cert.pem -noout -dates shows expired certificate
  • Site works when Cloudflare SSL mode is set to Flexible but not Full (strict)

Common Causes

  • Origin CA certificate reached the end of its validity period
  • Certificate was not renewed before expiration
  • Automated renewal process not configured
  • Multiple origin servers with different certificate expiration dates
  • Certificate replaced but not deployed to all origin servers in a cluster

Step-by-Step Fix

  1. 1.Check the current origin certificate expiration:
  2. 2.```bash
  3. 3.openssl x509 -in /etc/ssl/origin-cert.pem -noout -dates
  4. 4.# notBefore=Jan 1 00:00:00 2024 GMT
  5. 5.# notAfter=Jan 1 00:00:00 2039 GMT
  6. 6.# If notAfter is in the past, the certificate is expired
  7. 7.`
  8. 8.Generate a new Origin CA certificate:
  9. 9.- In Cloudflare dashboard: SSL/TLS > Origin Server > Create Certificate
  10. 10.- Choose RSA (2048) or ECC key type
  11. 11.- Select hostnames to cover (e.g., example.com, *.example.com)
  12. 12.- Choose validity period (15 years recommended for Origin CA)
  13. 13.- Download the certificate and private key
  14. 14.Install the new certificate on the origin server:
  15. 15.```bash
  16. 16.# Replace the old certificate
  17. 17.sudo cp new-origin-cert.pem /etc/ssl/origin-cert.pem
  18. 18.sudo cp new-origin-key.pem /etc/ssl/origin-key.pem
  19. 19.sudo chmod 600 /etc/ssl/origin-key.pem
  20. 20.sudo chmod 644 /etc/ssl/origin-cert.pem
  21. 21.`
  22. 22.Configure the web server to use the new certificate:
  23. 23.```nginx
  24. 24.server {
  25. 25.listen 443 ssl;
  26. 26.server_name example.com;
  27. 27.ssl_certificate /etc/ssl/origin-cert.pem;
  28. 28.ssl_certificate_key /etc/ssl/origin-key.pem;
  29. 29.# Only allow Cloudflare connections
  30. 30.ssl_client_certificate /etc/ssl/cloudflare.crt;
  31. 31.ssl_verify_client on;
  32. 32.}
  33. 33.`
  34. 34.Reload the web server and verify:
  35. 35.```bash
  36. 36.sudo systemctl reload nginx
  37. 37.# Verify the new certificate is active
  38. 38.openssl s_client -connect localhost:443 -servername example.com </dev/null 2>/dev/null | \
  39. 39.openssl x509 -noout -dates
  40. 40.`
  41. 41.Set up certificate expiration monitoring:
  42. 42.```bash
  43. 43.# Check expiration date
  44. 44.EXPIRY=$(openssl x509 -in /etc/ssl/origin-cert.pem -noout -enddate | cut -d= -f2)
  45. 45.EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
  46. 46.NOW_EPOCH=$(date +%s)
  47. 47.DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
  48. 48.echo "Origin CA certificate expires in $DAYS_LEFT days"
  49. 49.# Alert if less than 30 days remain
  50. 50.`

Prevention

  • Set calendar reminders for Origin CA certificate expiration (they do not auto-renew)
  • Automate Origin CA certificate generation and deployment with scripts
  • Use Let's Encrypt with Cloudflare's Full (strict) mode for automatic renewal
  • Include origin certificate expiration in your monitoring and alerting system
  • Document the Origin CA certificate rotation procedure in runbooks