Invalid SSL Certificate
Production Risk
High — all HTTPS traffic is broken. Use a Cloudflare Origin Certificate or Let's Encrypt to resolve.
526 Invalid SSL Certificate is a Cloudflare-specific error returned when Cloudflare is set to 'Full (Strict)' SSL mode and cannot validate the origin server's SSL certificate — it may be self-signed, expired, or issued by an untrusted CA.
- 1The origin is using a self-signed certificate and Cloudflare SSL mode is 'Full (Strict)'.
- 2The origin certificate is issued by a CA that Cloudflare does not trust.
- 3The origin certificate has expired.
- 4The certificate's hostname does not match the origin server's hostname.
- 5The certificate chain is incomplete — intermediate certificates are missing.
A developer configured a self-signed certificate on the origin server and Cloudflare is in 'Full (Strict)' mode.
# Origin using self-signed cert # Cloudflare SSL mode: Full (Strict) → validation fails
expected output
HTTP/1.1 526 Invalid SSL Certificate
Fix 1
Use a Cloudflare Origin Certificate
WHEN You want a free, trusted cert for the Cloudflare-to-origin connection.
# Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate # Install the generated cert on your origin server
Why this works
Cloudflare Origin Certificates are trusted by Cloudflare for Full (Strict) mode and are free.
Fix 2
Use Let's Encrypt on the origin
WHEN You want a publicly-trusted certificate on the origin.
certbot --nginx -d origin.example.com
Why this works
Issues a free, publicly-trusted certificate that Cloudflare can validate.
✕ Do not permanently switch to 'Flexible' SSL mode to avoid 526
Flexible mode leaves the Cloudflare-to-origin connection unencrypted.
526 only occurs in 'Full (Strict)' SSL mode. 'Full' mode accepts self-signed certs (returns 525 on handshake failure instead).
Cloudflare 5xx error documentation
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#526 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev