Error 526

This error indicates that Cloudflare is unable to verify the SSL certificate on your origin server, preventing a secure connection from being established. This error occurs when these two conditions are true: Cloudflare cannot validate the SSL certificate at your origin web server. *Full SSL (Strict)***SSL**is set in the**Overview**tab of your Cloudflare**SSL/TLS**app. Here are some options to fix or workaround this issue:

Options to Fix or Workaround

• For a potential quick fix, set **SSL**to*Full*instead of*Full (strict)*in the**Overview**tab of your Cloudflare**SSL/TLS**app for the domain.
• Add your self-signed SSL certificate to the Custom Origin Trust Store. This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
• Use a Cloudflare Origin CA certificateat your origin.
• Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that:
  • Certificate is not expired.
  • Certificate is not revoked.
  • Certificate is signed by a Certificate Authority (not self-signed).
  • The requested or target domain name and hostname are in the certificate's **Common Name**or**Subject Alternative Name**.
  • The certificate chain is complete - the origin server must serve the leaf certificate along with any required intermediate CA certificates so that Cloudflare can build a trusted chain to a root CA.
  • Your origin web server accepts connections over port SSL port 443.
• Temporarily pause Cloudflare and visithttps://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replace www.example.com with your hostname and domain) to verify no issues exists with the origin SSL certificate:

Additional Information When Using Cloudflare Gateway

When using Cloudflare Gateway, an HTTP Error 526 might be returned in the following cases:

• An untrusted certificate is presented from the origin to Gateway. Gateway will consider a certificate is untrusted if any of these conditions are true:
  • The server certificate issuer is unknown or is not trusted by the service.
  • The server certificate is revoked and fails a CRL check.
  • There is at least one expired certificate in the certificate chain for the server certificate.
  • The common name on the certificate does not match the URL you are trying to reach.
  • The common name on the certificate contains invalid characters (such as underscores).
• Gateway uses BoringSSLto validate certificates. Chrome'svalidation logicallows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP.
• The connection from Gateway to the origin is insecure. Gateway does not trust origins which:
  • Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES).
  • You can use the SSL Server Test toolto check which ciphers are supported by the origin.
  • Do not support FIPS-compliant ciphers (if you have enabledFIPS compliance mode).
  • Redirect all HTTPS requests to HTTP.
  • Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES).

How to Apply

• For a potential quick fix, set **SSL**to*Full*instead of*Full (strict)*in the**Overview**tab of your Cloudflare**SSL/TLS**app for the domain.
• Add your self-signed SSL certificate to the Custom Origin Trust Store. This allows the Cloudflare edge to recognize your self-signed SSL certificate as valid.
• Use a Cloudflare Origin CA certificateat your origin.
• Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that:
  • Certificate is not expired.
  • Certificate is not revoked.
  • Certificate is signed by a Certificate Authority (not self-signed).
  • The requested or target domain name and hostname are in the certificate's **Common Name**or**Subject Alternative Name**.
  • The certificate chain is complete - the origin server must serve the leaf certificate along with any required intermediate CA certificates so that Cloudflare can build a trusted chain to a root CA.
  • Your origin web server accepts connections over port SSL port 443.
• Temporarily pause Cloudflare and visithttps://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replace www.example.com with your hostname and domain) to verify no issues exists with the origin SSL certificate: