526 Invalid SSL Certificate
The 526 Invalid SSL Certificate status code appears when Cloudflare or Cloud Foundry's Gorouter is unable to validate the SSL/TLS certificate presented by the origin server or backend application.
Usage
Cloudflare is a content delivery network acting as a reverse proxy between clients and origin servers. The 526 error means the SSL/TLS handshake completed, but the origin server's certificate failed validation. This error appears when the Cloudflare SSL/TLS mode is set to Full (Strict), which requires a valid, trusted certificate on the origin.
Common causes include:
- The origin server's SSL certificate has expired.
- The certificate was issued by an untrusted or self-signed certificate authority.
- The certificate's common name (CN) or Subject Alternative Name (SAN) does not match the origin hostname.
- The certificate chain is incomplete (missing intermediate certificates).
Cloud Foundry's Gorouter also returns 526 when
backend SSL verification is enabled and the backend
presents a certificate signed by an unknown
authority. The Gorouter logs this as
backend_invalid_tls_cert and retries up to three
times before returning the error to the client.
Note
Switching Cloudflare's SSL mode from Full (Strict) to Full skips certificate validation, but reduces security. A better approach is to install a valid certificate on the origin, such as a free Cloudflare Origin CA certificate.
SEO impact
Search engines treat Cloudflare 526 responses as server errors. Persistent certificate validation failures reduce crawl rate and prevent indexing of affected URLs. Installing a valid origin certificate restores normal crawling.
Example
A client sends an HTTPS request through Cloudflare. Cloudflare connects to the origin and performs the SSL/TLS handshake, but the origin's certificate has expired, triggering a 526 error.
Request
GET /dashboard HTTP/1.1
Host: www.example.re
Accept: text/html
Response
HTTP/1.1 526 Invalid SSL Certificate
Date: Sun, 02 Mar 2026 10:45:00 GMT
Content-Type: text/html
Server: cloudflare
CF-RAY: 8a1b2c3d4e5f6-SIN
<html>
<head><title>526 Invalid SSL Certificate</title></head>
<body>
<h1>Error 526</h1>
<p>Invalid SSL certificate</p>
</body>
</html>
How to fix
A 526 only occurs when the Cloudflare SSL/TLS mode is set to Full (Strict). In this mode, Cloudflare validates the origin's certificate against its trust store.
Install a valid, trusted SSL certificate on the origin. The certificate must meet all of these conditions:
- Not expired or revoked.
- Signed by a trusted certificate authority (not self-signed, unless added to the Custom Origin Trust Store).
- Includes the requested hostname in the Common Name (CN) or Subject Alternative Name (SAN) field.
- Contains the full chain: leaf certificate, all intermediate certificates, and the root CA.
Generate a free Cloudflare Origin CA certificate in the dashboard under SSL/TLS > Origin Server > Create Certificate. This certificate is trusted by Cloudflare for up to 15 years and eliminates third-party CA dependency for the origin connection.
For self-signed certificates, add the certificate to the Custom Origin Trust Store in the Cloudflare dashboard. This tells Cloudflare to trust the specific self-signed certificate during validation.
Temporarily pause Cloudflare and run the SSL Shopper
SSL Checker or openssl s_client -connect origin:443
to inspect the certificate chain the origin presents.
Missing intermediate certificates are a common cause
of chain validation failures.
As a quick workaround, switch the SSL/TLS mode from Full (Strict) to Full. This skips certificate validation entirely but reduces security. Use this only as a temporary measure while fixing the origin certificate.
See also
- 525 SSL Handshake Failed
- 520 Web Server Is Returning an Unknown Error
- Troubleshooting Cloudflare Errors
- HTTP status codes