Invalid SSL Certificate — the origin server presented an untrusted or invalid certificate
What 526 Means
The 526 error on the Cloudflare Edge-Errors indicates invalid ssl certificate — the origin server presented an untrusted or invalid certificate. This typically occurs due to origin ssl certificate has formally expired or was thoroughly revoked.
A The 526 error is thrown exclusively when the edge proxy is operating in strict SSL mode and the certificate presented by the origin server fails rigorous cryptographic validation.
Technical Background
The 526 status represents aggressive enforcement of trusted identity. Unlike flexible modes where the proxy ignores backend validation, strict mode requires the origin certificate to be completely unexpired, signed by a publicly recognized authority, and matching the requested hostname.
This strictness ensures complete end-to-end encryption without the possibility of internal interception occurring between the the proxy edge and the internet hosting provider.
The most common silent trigger for a 526 occurs when servers host thousands of domains. If the origin server misinterprets the SNI request and serves the primary default certificate instead of the requested domain's certificate, the strict validation will universally fail.
Common Causes
- Origin SSL certificate has formally expired or was thoroughly revoked
- Certificate does not contain the requested domain name in its validation list
- The certificate is heavily self-signed and lacks proper Root trust
- Origin server is serving the generic host certificate instead of the domain certificate
Typical Scenarios
- An administrator forgets to renew the active certificate on the origin host
- A server responds to a request for a specific domain using a generic localhost identity
- A developer attempts to use strict mode while securing the backend with a self-signed key
What to Know
Encountering a 526 directs focus strictly to certificate management on the origin side. The immediate fix is renewing the expired host certificate, installing a free Cloudflare Origin certificate, or temporarily lowering the SSL strictness mode.
Frequently Asked Questions
Common questions about Cloudflare 526 error
The error happens when the network's strict encryption mode checks your origin server's SSL certificate and finds it expired, self-signed, or belonging to the wrong domain entirely.
You must renew the SSL certificate on your actual hosting server, or generate a free the proxy Origin Certificate to install on your host machine to satisfy strict mode.
Dropping to Flexible forces communication to plain HTTP, defeating internal encryption. Dropping to standard Full mode is often a safer temporary workaround while replacing the certificate.