Introduction

A Cloudflare 526 error means Cloudflare reached the origin over HTTPS but rejected the certificate as invalid. This typically happens in Full (strict) mode, where Cloudflare expects a certificate that is unexpired, correctly chained, and valid for the requested hostname.

Symptoms

  • Cloudflare shows 526 Invalid SSL Certificate
  • The site works in a looser SSL mode but fails in Full (strict)
  • One proxied hostname fails while others continue working
  • Origin HTTPS tests show certificate warnings or hostname mismatch
  • The issue appeared after certificate renewal, migration, or hostname changes

Common Causes

  • The origin certificate is expired or not yet valid
  • The certificate does not cover the proxied hostname
  • Intermediate certificates are missing from the origin chain
  • A self-signed or otherwise untrusted certificate is used where strict validation is expected
  • Cloudflare connects to a different virtual host than the one you renewed

Step-by-Step Fix

  1. Confirm the zone is using Full (strict) and identify the exact hostname returning the 526 error.
  2. Test the origin directly over HTTPS with that hostname and inspect the presented certificate, issuer, and chain.
  3. Verify the certificate is valid for the hostname, not expired, and includes the required intermediates.
  4. Check whether the web server or load balancer is serving a default certificate instead of the intended site certificate.
  5. Replace the invalid certificate with a trusted certificate or a valid Cloudflare Origin Certificate appropriate for the setup.
  6. Reload the web or proxy service after deployment so the active listener serves the new certificate.
  7. Re-test the hostname through Cloudflare and confirm the edge no longer rejects the origin certificate.
  8. If only one subdomain fails, inspect that virtual host separately rather than assuming the main domain config applies everywhere.
  9. Keep renewal, hostname inventory, and Cloudflare SSL mode reviewed together before future TLS changes.