HTTP 526 error

HTTP 526: Invalid SSL Certificate is a Cloudflare-specific status. The TLS handshake between Cloudflare and your origin succeeded (so 525 is ruled out), but Cloudflare refused the origin's certificate because it can't validate it against a public CA chain.

You only see 526 when Cloudflare's SSL mode is set to "Full (strict)." "Full" (non-strict) accepts any cert, including self-signed.

Why this happens

• Origin cert is self-signed. Easy to do by accident. A staging environment with a self-signed cert, then someone flips the dial to "Full (strict)" in Cloudflare, and the next deploy 526s.
• Origin cert expired. Cloudflare checks Not After. Expired = invalid.
• Origin cert chain is incomplete. Origin returns only the leaf cert without the intermediate. Cloudflare can't build a chain to a root it trusts.
• Wrong hostname. Origin cert covers app.example.com but Cloudflare is connecting to a hostname your cert doesn't cover. Some clients call this name mismatch.
• Self-signed CA at the origin. Some setups use a private CA. Even though the origin cert chains to a CA, Cloudflare doesn't trust the CA, so it rejects.

How to fix

The right fix is to put a valid public-CA cert (Let's Encrypt, ZeroSSL, a commercial CA) on the origin. Run a quick test:

echo | openssl s_client -connect origin.example.com:443 -servername origin.example.com 2>/dev/null \
  | openssl x509 -noout -dates -issuer -subject

If the issuer says anything like "self-signed" or your internal CA name, that's the problem.

Workaround: Cloudflare Origin Certificates

Cloudflare issues free, long-lived certs (15 years) that are trusted only by Cloudflare's edge. If your origin is private (no direct internet access except through Cloudflare), Origin Certificates fix the cert problem without needing a public CA. Don't use them on a public origin: real clients won't trust them.