Question 1

What does Cloudflare error 526 mean?

Accepted Answer

Error 526 occurs specifically when Cloudflare's SSL mode is set to Full (Strict) and the origin server's SSL certificate fails validation. The TLS handshake may succeed (unlike 525), but the certificate does not pass Cloudflare's validation checks — it may be expired, self-signed, not issued for the correct hostname, or have an incomplete certificate chain. This error only occurs in Full (Strict) mode because other modes do not validate the origin certificate.

Question 2

What causes Cloudflare error 526?

Accepted Answer

SSL certificate has expired: The origin's certificate has passed its expiration date. Let's Encrypt certificates expire every 90 days and auto-renewal sometimes fails silently.

Self-signed certificate without Cloudflare Origin CA: Full (Strict) mode requires a certificate signed by a trusted CA or Cloudflare's Origin CA. A standard self-signed certificate will be rejected.

Certificate does not match the hostname: The certificate's Common Name (CN) or Subject Alternative Names (SANs) do not include the domain being requested through Cloudflare.

Incomplete certificate chain: The origin is only serving the leaf certificate without the required intermediate certificates, so Cloudflare cannot build a chain to a trusted root.

Question 3

How do I fix Cloudflare error 526?

Accepted Answer

Step 1: Check certificate validity and expiration — Connect to the origin and inspect the certificate details to ensure it is valid and not expired.

Step 2: Verify the certificate covers the domain — Check that the certificate's Subject Alternative Names (SANs) include your domain name.

Step 3: Use a Cloudflare Origin CA certificate — Generate a free Origin CA certificate from the Cloudflare dashboard (SSL/TLS > Origin Server). These are trusted by Cloudflare in Full (Strict) mode and last up to 15 years.

Step 4: Verify the full certificate chain is served — The origin must serve the leaf certificate plus all intermediate certificates. Check with openssl or an online SSL checker.

Step 5: Switch to Full SSL mode temporarily — If you need the site online immediately, switch from Full (Strict) to Full. This still uses HTTPS to the origin but does not validate the certificate. Fix the certificate and switch back.

Cloudflare Error 526: Invalid SSL Certificate

Common Causes

SSL certificate has expired

Self-signed certificate without Cloudflare Origin CA

Certificate does not match the hostname

Incomplete certificate chain

How to Fix It

Check certificate validity and expiration

Verify the certificate covers the domain

Use a Cloudflare Origin CA certificate

Verify the full certificate chain is served

Switch to Full SSL mode temporarily

Related Error Codes

SSL Handshake Failed

Web Server Is Down

Web Server Returns an Unknown Error

Frequently Asked Questions