Cloudflare is a leading Content Delivery Network (CDN) provider or connectivity cloud network (as they call it). Cloudflare’s services are used by several organizations to optimize, cache and protect their web applications. Cloudflare provides such services by allowing you to resolve your domain names to their anycast IPs (by setting the proxy status of your DNS record as "proxied") and routing inbound traffic to your web application through their networks (Cloudflare essentially serves as a reverse proxy for your web traffic) as shown below.
In this article, I share my experience with handling the common Cloudflare 526 error code.
Cloudflare Error 526 – Invalid SSL certificate
A common error that seems to be encountered by Cloudflare users when setting up a Full (strict) configuration for traffic proxied via Cloudflare, is the error code 526 (shown below), which indicates an invalid SSL certificate on the origin server.
Resolution
Cloudflare documents a troubleshooting article for dealing with this error 526. However, sometimes, the problem isn’t too obvious and so I’m sharing my experience with this error and the steps taken to resolve the issue.
STEP 1: On Cloudflare, disable proxy status (switch from proxied to DNS only) for your relevant DNS A/AAAA/CNAME records. This will cause any inbound traffic to your web application to go directly to your public-facing origin server endpoint (typically, a public load balancer with web servers behind), as your public domain name will resolve directly to the the public IPs of your origin server endpoint.
STEP 2: Use SSL Shopper’s SSL Checker to verify the SSL certificate installed on your origin server for the domain name accepting inbound traffic for your web application.
STEP 3: Analyze the SSL Checker response carefully to determine the root cause.
Look at the SSL checker results above. One result shows a broken certificate chain, while the other shows a successfully validated certificate chain. The root cause of the broken certificate chain is not obvious, but if you look closely, you’ll see that the serial numbers of the intermediate certificate authorities are different and one of the intermediate certificate authorities in the broken certificate chain uses the ecdsa signature algorithm (the ECDSA may be irrelevant).
The root cause of the issue was a broken certificate chain that was caused by stitching together incorrect certificates. So, to resolve this issue, we downloaded the entire certificate chain from our certificate authority, deployed it on our origin server and obtained successful SSL checker results.
STEP 4: After confirming a successful certificate chain validation on your origin server with SSL checker, enable proxy status for the relevant DNS record(s) on Cloudflare. Now, your web application’s inbound traffic will flow through the Cloudflare network without issue and the error 526 should be resolved even with Full (strict) encryption mode enabled.
Conclusion
In this article, I shared an example of successfully troubleshooting the common Cloudflare 526 error code which denotes that the SSL certificate on your origin server cannot be verified. Rather than switch the encryption mode to Full (less secure than the strict mode), I recommend that you troubleshoot the issue methodically, and if the issue isn’t obvious (all other certificate requirements being valid), check the certificate chain with your certificate authority. Note that Cloudflare will switch to a default Automatic SSL/TLS encryption mode which may help reduce occurrences of the 526 error.
