Error 526 diplayed from Cloudflare may be caused by origin server ssl, but when Universal SSL is not active then it’s another issue.
There are more than two reasons why Cloudflare says you have an Invalid SSL and displays Error 526 and Universal SSL certificate is not active.
Of course, Cloudflare Universal SSL is enabled on the dashboard in both situations but the problem should be identified by checking what SSL is seen by the browser:
- Cloudflare Universal SSL is enabled on the dashboard, also displayed by the browser identified as “sni.cloudflaressl.com”
- Cloudflare Universal SSL is enabled on the dashboard but not activated. You see another SSL displayed by the browser instead of sni.cloudflare.com.
Remember that the browser cache must be cleared before each test.
The first case displayed by Cloudflare “error 526 invalid ssl certificate” is already known and easily resolved.
If in the origin server you do not have trusted SSL but you only have a “self signed SSL” generated by the server you can use only the option “Flexible” or “Full” but not “Full Strict”. Otherwise if you have a trusted SSL then you can use all three options: “Flexible”, “Full” but also “Full Strict”.
There is an explanation for this in the Cloudflare dashboard. However, you can fix this without asking for help because the first reason that causes this is more easy to fix.
Hot to fix Cloudflare error 526 invalid SSL:
- Disable Cloudflare on site then purge cache.
- Disable https, www redirects on server.
- Install SSL on origin server.
- Open browser without cache to test origin server SSL.
- Enable Cloudflare on site then enable SSL (Full, or Full Strict).
- Repeat step 4 to test Cloudflare universal SSL.
To disable Cloudflare on site then purge cache:
- Go to Cloudflare dashboard (Overview).
- Bottom/Right, click “Pause Cloudflare on Site”.
- Go to “Caching”, “Configuration”, then “Purge everything”.
To install SSL on origin Server:
- Some webhosting providers such as Bluehost etc provides autossl (Let’s Encrypt).
- On some others such as Godaddy install manually (Let’s Encrypt) or get one from Godaddy.
- Or get one free SSL from Cloudflare “SSL/TLS”, “Origin Server”, “Create Certificate”.
Open browser without cache:
- Clear browser cache or…
- Open “Guest” or “Incognito”.
- Open “Developer tools” (F12, CTRL+Shift+J on Chrome for Windows).
- Click “Settings” (gear icon at the right side).
- Under “Network” check “Disable cache (while DevTools is open)”.
If this action was successful you will see Cloudflare SSL in Browser as: sni.cloudflaressl.com. If not then things are a bit more complex and you should look for a solution to the problem described below.
The second case is more difficult to resolve. Universal SSL certificate is not active even though is enabled on the dashboard. Origin server SSL is trusted but error 526 is still showing!
The problem may be with some data stored somewhere that you do not already have access to.
If you have been facing this problem for more than two weeks you already know about the problems caused by DNSSEC.
In fact DNSSEC is a great solution when configured correctly and deactivated in time, before you transfer your domain elsewhere.
The browser sees an SSl as trusted but Cloudflare displays error “526”. You have tried to replace the SSL Certificate with another one but the problem persists. Cloudflare offers the ability to generate a free SSL to install on the origin server, but the problem continues to appear the same, no change.
It has an even more bizarre effect. You can see that in the SSL details displayed by the browser, it is an SSL that you can not find anywhere, it has a different expiration date and probably issued by an unknown SSL server. So, it is not the standard “Universal SSL” an SSL that is usually enabled by Cloudflare (sni.cloudflaressl.com), but also is not the one you currently have installed on your server. It’s another, weird.
In this case redirect to HTTPS does not work. But there is an even bigger problem. When you visit the HTTP site you see another variant of the parked website, something you did not create and do not have access to.
But how can we solve this? Can error 526 disappear and everything return to normal operation?
We think there is a solution.
One thing should be clear: Changes to DNS records needs time to be validated.
If Universal SSL certificate is not active and the error 526 keeps showing up:
- If you are not just a Cloudflare free user but have a paid plan, then you are in luck. You are very close to the solution. You can simply open a support ticket and ask cloudflare to delete all old DNSSEC records.
- If you have a Free plan in Cloudflare then you can only seek help from the Cloudflare community. But so far it has been difficult to find a solution to a complicated issue like this. It is logical that Cloudflare can not reply to all users and there are a large number of users with Free plan.
- If you have enabled DNSSEC to the old registrar of your domain and transferred the domain to the new registrar without deactivating DNSSEC to the old registrar then you are in a bit of trouble. But there is a solution to every situation. In this case you need to contact the old domain registrar. You should ask them to delete all DNS, DNSSEC data and if by chance there is any SSL there you should kindly ask them to delete it.
- Disable Cludflare app, service installed in server or shared hosting. Believe me, this is very important.
Some services offered for free are unnecessary.
Today the number of companies offering Webhost of different levels is quite high. Some of them introduce free CDN service in their Webhost service, even promoting it as a free or paid service. This is totally unnecessary, even instead of improving the service it can have the opposite effect. If you asked me you would never activate this service. If you need a CDN, Cloudflare or anything else you can do this yourself by opening an account directly with the CDN or DNS management service.
So, if you have enabled a service like this you should ask the webhost to completely delete the Cloudflare configuration on origin server, of course if you have access you can try this yourself.
In most cases all those who provide technical support will tell you that they do not have any dns config of your domain. You should insist on deleting that configuration, or at least deleting the service or application that activates and configures the CDN.
A brief conclusion about the issue.
We think that if you have had a problem like this, you may be the victim of a lack of necessary information. This issue needs a clearer explanation from those who provide this feature. DNSSEC is a service created to protect the websites. It works quite well but in the relations between domain registrar and dns management there are also some flaws that need to be resolved. Maybe ICANN should set some clear standards.
Today some DNS management services do not offer this service at all (DNSSEC). Some offer this service but not all support the same algorithms. And unfortunately there is no warning message about the troubles this service can cause.
However, this is the internet and new features are being developed every day.
Of course, we should ask for more information before using these features.