Back to Learning Center
Error Fix

Fix Cloudflare SSL Error 526: Invalid SSL Certificate

5 min read
Updated June 2026By CertNotify Team

Cloudflare Error 526 means Cloudflare cannot validate the SSL certificate on your origin server. This happens when Cloudflare connects to your server in Full (strict) or Full SSL mode and the certificate on your origin is invalid, expired, or self-signed without being trusted.

Understanding Cloudflare SSL Modes

OffNo SSL. HTTP everywhere. Never use this.
FlexibleCloudflare↔User: HTTPS. Cloudflare↔Origin: HTTP. No cert needed on origin.
FullCloudflare↔Origin: HTTPS but does NOT validate cert. Self-signed OK.
Full (Strict)Cloudflare↔Origin: HTTPS AND validates cert. Requires trusted or Cloudflare Origin CA cert.

Why Error 526 Occurs

You are using Full (Strict) mode but origin has a self-signed certificate
Origin SSL certificate has expired
Origin SSL certificate was issued for a different hostname
Certificate chain is incomplete (missing intermediate CA)
Origin does not have an SSL certificate at all
You recently switched to Full (Strict) from another mode

Fix Option 1 — Use Cloudflare Origin CA Certificate (Recommended)

Cloudflare offers free Origin CA certificates trusted by Cloudflare's edge servers. This is the best approach for Full (Strict) mode:

1Go to Cloudflare Dashboard → SSL/TLS → Origin Server
2Click "Create Certificate" and choose RSA or ECC
3Copy the certificate and private key to your origin server
4Install them in your web server (Nginx/Apache)
5Also download the Cloudflare Origin CA root certificate and add it to your chain

Fix Option 2 — Install a Valid Public Certificate

If you want a certificate that also works without Cloudflare, use Let's Encrypt or another public CA:

# Install Certbot and get a Let's Encrypt certificate
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Fix Option 3 — Downgrade to Full (Not Strict)

If you need a quick fix and have a self-signed certificate on origin, switch to Full mode (not strict) in the Cloudflare dashboard. This still encrypts traffic but does not validate the origin certificate. Upgrade to Full (Strict) once you have a valid cert.

Full (Strict) + Cloudflare Origin CA = Best practice
Full (Strict) + Let's Encrypt = Also excellent
⚠️Full (not Strict) = Better than Flexible, but no cert validation
Flexible = Origin traffic is unencrypted

Verify the Fix

Wait 2–5 minutes after changes for Cloudflare cache to clear
Check the Cloudflare SSL/TLS tab — it should show "Active" status
Visit your domain — the padlock should appear in the browser
Run our SSL Checker tool to confirm certificate validity

Monitor your origin certificate

Even Cloudflare-proxied sites can trigger Error 526 when origin certs expire. CertNotify monitors both the Cloudflare edge and your origin certificate and alerts you 30 days before expiry.