cloudflare error 526 (invalid ssl certificate)
cloudflare cannot verify the certificate on your origin server. four common causes, all fixable in under an hour.
cloudflare error 526 is specifically about origin certificate trust. cloudflare sits between visitors and your server. for that connection from cloudflare to your origin to be encrypted, your origin needs a valid certificate. 'full (strict)' mode means cloudflare requires that certificate to be publicly trusted (let's encrypt, paid ca, etc) and not expired. when those conditions fail, you get 526 — and visitors see a generic cloudflare error page instead of your site.
what this looks like to a visitor
- site shows cloudflare error 526 in browser
- page worked before you turned on 'full (strict)' ssl mode in cloudflare
- let's encrypt renewal failed and the cert is expired on the origin
- you migrated origin servers and forgot to install the cert on the new one
what a public browser check can see
we connect directly and inspect the cloudflare-served headers. cf-ray, cf-cache-status, server: cloudflare confirm you are behind cf. error 526 in body tells us the origin cert check failed.
if your origin ip is published in dns (a record bypass, common misconfiguration), we connect directly and read the origin certificate. tells us immediately whether it is expired, self-signed, or wrong domain.
we cannot read your cf dashboard from outside, but the symptom (526) only happens in 'full' or 'full (strict)' mode. the fix path depends on which you have.
we check whether the certificate's common name and subject alt names match the host cloudflare is connecting to. mismatch is a frequent cause after subdomain migrations.
we do not log into your site. we do not scrape customer data. we open your public homepage in a real browser session and report what we see. no security claims unless we can prove them from the public surface.
the deeper picture
the four common causes: (1) certificate expired on origin. let's encrypt is 90 days, and if the renewal cron failed, the origin cert is dead but cloudflare still expects it. fix: renew the cert. (2) you migrated origin servers and the new server does not have a certificate installed. fix: install one (let's encrypt + certbot is the standard path). (3) you are in 'full (strict)' mode but the origin has a self-signed certificate. cloudflare does not trust those. fix: either move to 'full' (encrypted but accepts self-signed) or install a public cert. (4) wrong-domain certificate. you migrated subdomains and the origin cert covers the wrong host. fix: re-issue with the correct subject alt names. cloudflare also offers free 'origin server certificates' which are issued by cloudflare and trusted only by cloudflare — useful if you do not want a publicly visible cert on the origin.
fix it yourself
step 1: in cloudflare dashboard → ssl/tls → overview, check the mode. if you are in 'full (strict)', the origin must have a valid public certificate. either renew the origin cert (let's encrypt is free) or drop to 'full' (still encrypted, less strict about cert validity). step 2: if origin cert is expired, run certbot renew or equivalent on the origin server. step 3: install the cert on the new origin if you migrated servers. step 4: clear cloudflare cache (purge everything) and test again.
run the audit on YOUR site — check for "cloudflare error 526 (invalid ssl certificate)"
we open your homepage in a real headless browser and report what we see. no login, no plugin install.
public browser check · no signup · result on the next page
or pay us once.
this is a one-hour fix once you know which of the four it is. the public check identifies the symptom. for the actual fix you need access to your origin server (ssh or host control panel) and your cloudflare account. if you do not have either, or you prefer to hand it off, the $99 fix: we get the origin cert valid and the cloudflare mode appropriate, verify the site loads, set up monitoring so the next expiry does not catch you. done same day in most cases.
frequently asked
not strictly bad — the connection cloudflare→origin is still encrypted. you just lose the guarantee that the origin is who it claims to be. for most small sites this is fine. for sites handling payment data, strict is the right default.
a free cert cloudflare issues that is trusted only by cloudflare (not browsers directly). you install it on your origin. cloudflare connects, verifies, and serves visitors from its edge with a publicly-trusted cert. good for cf-only setups.
monitoring. our $19/mo monitor checks both the cloudflare-served version of your site and (where exposed) the origin cert directly. you get warned at 14 days before any cert expiry.
yes, while it is happening. crawlers see the 526 page and treat it as downtime. fix within a day and the impact is minimal; weeks of downtime causes real ranking drops.
other fix guides
- why is my wordpress site slow— what an external browser sees when your wordpress homepage takes too long to render — and the four things that are almost always behind it.
- shopify checkout feels broken — how to find out why— a public browser check of your shopify storefront can surface the visible reasons people abandon. here is what we look for.
- contact form looks fine but i'm not getting emails— this is the most common silent failure mode of small-business websites. four reasons it usually is — and how a public check can rule out the wrong ones.
- wix site not showing on google — what a public check can tell you— your wix site exists, but it does not appear in google search results. four reasons that explain almost every case.
built by vøiddo — a small studio shipping ai-flavoured products, free dev tools, chrome extensions and weird browser games. legal · support@voiddo.com