Cloudflare Error 526: What It Means and How to Fix It

What Cloudflare 526 actually means

In Full (Strict) SSL mode, Cloudflare validates the origin certificate the same way a browser would: it must be issued by a trusted CA, must not be expired, and must cover the requested hostname. If any check fails, Cloudflare returns 526 rather than forwarding the request. This is the strictest SSL mode and the one most site operators should aim for, but it requires a properly signed certificate on the origin — not a self-signed one.

Most likely causes (ranked)

1. Self-signed certificate on the origin — not trusted by Cloudflare in Full (Strict) mode
2. Origin certificate expired — Let's Encrypt auto-renewal failed or was not configured
3. Certificate hostname mismatch — cert covers www.example.com but origin serves example.com
4. Incomplete certificate chain — missing intermediate CA certificates on the origin
5. Recently switched to Full (Strict) without first updating the origin certificate

How to fix Cloudflare 526

Step 1: Diagnose the certificate problem

From a terminal, check the origin certificate:

openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer

Look for: self-signed issuer, expired notAfter date, or subject that doesn't match your domain.

Step 2: Install a Cloudflare Origin Certificate (recommended)

In Cloudflare dashboard → SSL/TLS → Origin Server → Create Certificate. Download the certificate and private key, install them in your web server's SSL configuration. Cloudflare Origin Certificates are free, last 15 years, and are fully trusted by Cloudflare in Full (Strict) mode.

Step 3: Install or renew a Let's Encrypt certificate

Let's Encrypt certificates are also trusted by Cloudflare. Install with:

certbot --nginx -d yourdomain.com -d www.yourdomain.com

If a cert already exists but is expired: certbot renew --force-renewal. Confirm auto-renewal is working: systemctl status certbot.timer.

Step 4: Temporary workaround — downgrade to Full mode

Cloudflare dashboard → SSL/TLS → Overview → set to Full (not Full Strict). Full mode allows self-signed certificates — the connection is still encrypted but the certificate isn't validated. Use only while replacing the origin certificate.

Step 5: Verify the certificate covers the correct hostname

Check the Subject Alternative Names on the origin certificate:

openssl s_client -connect IP:443 2>/dev/null | openssl x509 -noout -text | grep -A2 'Subject Alternative Name'

The certificate must cover the hostname Cloudflare uses to connect to the origin (usually your domain).

Frequently Asked Questions

Why does 526 only appear in Full (Strict) mode?

Full (Strict) validates the origin certificate like a browser does. Full mode (non-Strict) skips validation and accepts self-signed certificates. Flexible mode skips TLS to the origin entirely. 526 only fires in Full (Strict) because the other modes don't validate the certificate.

Can I use a self-signed certificate with Cloudflare?

Yes, but only with Full (not Strict) SSL mode. For proper validation without a public CA, use a Cloudflare Origin Certificate — it's free, lasts 15 years, and is trusted by Cloudflare's Full (Strict) mode. Visitors only connect to Cloudflare (not the origin directly), so the certificate doesn't need to be publicly trusted.