,{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Does 526 affect HTTP traffic?","acceptedAnswer":{"@type":"Answer","text":"No. 526 only occurs when Cloudflare connects to origin over HTTPS in Full or Full Strict mode. Flexible and Off modes use plain HTTP to origin and cannot produce 526."}},{"@type":"Question","name":"Can a wildcard certificate fix hostname mismatch 526s?","acceptedAnswer":{"@type":"Answer","text":"Yes. A wildcard cert for *.example.com covers all immediate subdomains and satisfies Cloudflare hostname validation in Full Strict mode."}}]}

Cloudflare Error 526: Invalid SSL Certificate

Quick reference

Code526 Invalid SSL Certificate
CategoryCloudflare Edge Error
Standard HTTP?No
Vendor referenceCloudflare docs

What 526 means

Cloudflare 526 Invalid SSL Certificate means the TLS handshake with the origin succeeded but Cloudflare rejected the certificate the origin presented. This only occurs in Full (Strict) SSL mode — the strictest Cloudflare setting, which requires the origin certificate to be issued by a publicly trusted CA or by Cloudflare itself, currently valid, and covering the hostname being requested.

In Full mode (not Strict), Cloudflare accepts any certificate including self-signed and expired ones, and would not return 526. Switching from Full (Strict) to Full is a valid short-term workaround while the certificate issue is being resolved, since encryption between Cloudflare and origin is still maintained.

Four reasons a certificate fails validation

1. Self-signed certificate. Self-signed certs pass the TLS handshake but fail Cloudflare trust chain verification in Full (Strict) mode. Use a Cloudflare Origin Certificate or a publicly trusted CA certificate instead.

2. Expired certificate. The most common cause of sudden 526s. Check expiry:

openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates # notAfter=Apr 25 2026 -- if today is past this date, renew immediately

3. Hostname mismatch. The certificate's CN or Subject Alternative Names do not include the hostname Cloudflare is connecting to. Check the SANs:

openssl s_client -connect ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A3 "Subject Alternative Name" # Should list yourdomain.com and/or *.yourdomain.com

4. Incomplete certificate chain. The origin sends only the end-entity certificate without intermediate CA certificates. Cloudflare cannot verify the chain. Fix by sending the full chain:

# Let's Encrypt: use fullchain.pem not cert.pem ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # Manual: concatenate cert + intermediate cat your-cert.pem intermediate-ca.pem > fullchain.pem ssl_certificate /etc/nginx/ssl/fullchain.pem;

Fix strategies

Cloudflare Origin Certificate (recommended): Free, 15-year certificate issued by Cloudflare and trusted by Cloudflare in Full Strict mode. Generate in Cloudflare dashboard: SSL/TLS → Origin Server → Create Certificate. Install on origin:

ssl_certificate /etc/nginx/ssl/cloudflare-origin.pem; ssl_certificate_key /etc/nginx/ssl/cloudflare-origin.key;

Let's Encrypt (publicly trusted):

apt install certbot python3-certbot-nginx certbot --nginx -d yourdomain.com -d www.yourdomain.com systemctl enable --now certbot.timer # auto-renew

Temporary workaround — switch to Full (not Strict): In Cloudflare dashboard, SSL/TLS → Overview, change to Full. This removes certificate validation while maintaining encryption. Revert to Full (Strict) once the certificate is fixed.

Preventing certificate expiry 526s

Automate certificate renewal and set up expiry monitoring. For Let's Encrypt, the certbot systemd timer handles renewal automatically. For Cloudflare Origin Certificates (valid 15 years), use a monitoring script or cron to alert when expiry is within 30 days:

#!/bin/bash # Check cert expiry and alert if within 30 days EXPIRY=$(openssl x509 -in /etc/nginx/ssl/origin.pem -noout -enddate | cut -d= -f2) EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s) NOW=$(date +%s) DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW) / 86400 )) if [ $DAYS_LEFT -lt 30 ]; then echo "WARNING: cert expires in $DAYS_LEFT days" | mail -s "Cert expiry warning" ops@example.com fi

526 vs 525

CodeTLS sessionRoot cause
525Failed to establishNo cert, unsupported cipher/protocol
526Established, cert rejectedSelf-signed, expired, hostname mismatch, incomplete chain

Frequently asked questions

Does 526 affect HTTP traffic?

No. 526 only occurs when Cloudflare connects to origin over HTTPS (Full or Full Strict SSL mode). Off or Flexible mode uses plain HTTP to origin and certificate validation does not occur.

Can a wildcard certificate fix hostname mismatch 526s?

Yes. A wildcard cert for *.example.com covers all immediate subdomains — www, api, cdn — and satisfies Cloudflare hostname validation. It does not cover the apex domain (example.com) itself or sub-subdomains. Add the apex as an additional SAN if needed.

Why does 526 happen intermittently?

Intermittent 526s often indicate a recently rotated certificate has a different hostname or chain than the old one, and some Cloudflare edge nodes cached the old connection state. Purging Cloudflare cache and waiting for edge propagation typically resolves it. Also check whether multiple origin IPs are configured and only one has a valid certificate.

Is Full (Strict) worth using over Full mode?

Yes for production. Full (Strict) prevents man-in-the-middle attacks between Cloudflare and origin by verifying the certificate is legitimate. Full mode accepts any certificate including attacker-controlled self-signed ones. The extra work of maintaining a valid certificate is worth the security guarantee.

Related guides

Cloudflare 525 · SSL Handshake Failed · ERR_CERT_COMMON_NAME_INVALID · Cloudflare 520 · HTTP 503

Server Errors Hub · All Guides · Home