Cloudflare Error 526: Invalid SSL Certificate

1Check Your Origin Certificate

First, verify what certificate your origin server is presenting. Replace your-origin-ip with your server's IP and yourdomain.com with your domain:

openssl s_client -connect your-origin-ip:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject

Look for:

• notAfter - Is the certificate expired?
• subject - Does it include your domain?

Verify certificate and private key match:

# Get certificate modulus
openssl x509 -noout -modulus -in origin.pem | openssl md5

# Get key modulus  
openssl rsa -noout -modulus -in origin.key | openssl md5

# If both MD5 hashes match, the key and cert are a pair

If these don't match, you're using the wrong private key for your certificate.

2Install Cloudflare Origin CA Certificate

Cloudflare provides free Origin CA certificates valid for up to 15 years. These are trusted by Cloudflare but not browsers (which is fine since Cloudflare handles visitor connections).

1. Go to Cloudflare Dashboard → SSL/TLS → Origin Server
2. Click Create Certificate
3. Choose PEM format and copy both certificate and private key
4. Save as origin.pem (cert) and origin.key (key)

Nginx configuration:

server {
    listen 443 ssl;
    server_name yourdomain.com;
    
    ssl_certificate /etc/ssl/origin.pem;
    ssl_certificate_key /etc/ssl/origin.key;
    
    # ... rest of config
}

Apache configuration:

<VirtualHost *:443>
    ServerName yourdomain.com
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/origin.pem
    SSLCertificateKeyFile /etc/ssl/origin.key
    
    # ... rest of config
</VirtualHost>

3Alternative: Use Let's Encrypt

If you prefer publicly trusted certificates, Let's Encrypt is free and works with Full (Strict) mode.

Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Apache:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Zero Trust / Cloudflare Gateway

When using Cloudflare Gateway, Error 526 can occur if:

• Origin presents an untrusted certificate (unknown issuer, revoked, expired, CN mismatch)
• Certificate contains invalid characters like underscores (Gateway uses BoringSSL which is stricter than Chrome)
• Origin only offers insecure cipher suites (RC4, 3DES)
• Origin redirects all HTTPS to HTTP

Cloudflare Workers

Workers subrequests to external domains (not proxied by Cloudflare) always use Full (Strict) mode, regardless of your zone's SSL settings. Ensure any external APIs your Worker calls have valid certificates.

Can I use a self-signed certificate with Cloudflare?

Yes, but only with "Full" mode (not "Full (Strict)"). For better security, use Cloudflare Origin CA certificates instead—they're free, valid for 15 years, and work with Full (Strict) mode.

Why does my site work without Cloudflare but show 526 with it?

When accessing your site directly, your browser may accept certificates that Cloudflare won't (like self-signed certs if you clicked through the warning). Cloudflare enforces stricter validation in Full (Strict) mode.

How do I check if my certificate chain is complete?

Use our Chain Builder demo or run:

openssl s_client -connect yourdomain.com:443 -showcerts

You should see multiple certificates (your leaf cert + intermediates). If you only see one, the chain is incomplete.

Does Cloudflare Origin CA work if I disable the proxy (grey cloud)?

No. Cloudflare Origin CA certificates are only trusted by Cloudflare. If you disable the proxy (DNS only), browsers will show certificate warnings. Use Let's Encrypt if you need a publicly trusted certificate.

How long are Cloudflare Origin CA certificates valid?

You can choose between 7 days, 30 days, 90 days, 1 year, 2 years, 3 years, or 15 years. The 15-year option is popular for "set and forget" deployments.

I get 526 but my certificate works when I access the server directly

When you access your server directly (bypassing Cloudflare), your browser may be more lenient—accepting self-signed certs after a warning click, or ignoring minor issues. Cloudflare's Full (Strict) mode enforces proper validation. Check that:

• Certificate is CA-signed (not self-signed) OR you're using Cloudflare Origin CA
• Certificate hasn't expired
• Hostname matches exactly
• Full chain is installed