[Help] Error 526 Invalid SSL Certificate

IG Pro

Power Member
Joined
Aug 14, 2018
Messages
671
Reaction score
674
Hello everyone,

lately i had problem with my website it stopped working without any reason.
SC:
Bez názvu.png


I've contacted my hosting provider (Vultr) and they've responded,
SC:
Bez názsvu.png


Since i am huge noob on website development and these things about websites, i've no idea what is he talking about.

I am also using CloudFlare, but i couldn't find anywhere support with real human on their website.

On Cloudflare it says that my SSL certificate is still working, so i am confused why my website do not.
SC:
hZtUyGB


Every help is appreciated!

Thank you for your time,
Have a great day!
-Filipo
 

Attachments

  • Bez násszvu.png
    Bez násszvu.png
    11.9 KB · Views: 122

cmasex

Newbie
Joined
Sep 15, 2013
Messages
29
Reaction score
10
What you can do is either

1) Set SSL to "flexible" on the Crypto tab on Cloudflare (same place as the screenshot above wher it says "full/strict")
2) Turn off SSL on your host, remember to also remove any 301 redirects to https or else you will get a loop.

OR if you are using letsencrypt you can renew the SSL on your host, but then you have to turn off SSL on cloudflare first. This you will have to do every 60 days, I do not reccomend it. My own setup is like the 1) and 2) above.
 

D3falt

Regular Member
Joined
Jan 14, 2019
Messages
252
Reaction score
48
Try reading your logs. SSH into your server. Depending on how you configure your nginx, it could be /var/log/nginx/example.log
 

kylngr

Registered Member
Joined
Feb 7, 2014
Messages
76
Reaction score
47
if you didn't create any server side ssl certificates, log in to cloudflare account. select website. click to Crypto tab and select "Flexible" SSL option.

it is probably happening because of it is selected full or full strict. when full is selected, it means the cloudflare server will communicate with an ssl between your server and cloudflare. flexible option communicates with http and serves https to client.
 

IG Pro

Power Member
Joined
Aug 14, 2018
Messages
671
Reaction score
674
if you didn't create any server side ssl certificates, log in to cloudflare account. select website. click to Crypto tab and select "Flexible" SSL option.

it is probably happening because of it is selected full or full strict. when full is selected, it means the cloudflare server will communicate with an ssl between your server and cloudflare. flexible option communicates with http and serves https to client.
Try reading your logs. SSH into your server. Depending on how you configure your nginx, it could be /var/log/nginx/example.log
What you can do is either

1) Set SSL to "flexible" on the Crypto tab on Cloudflare (same place as the screenshot above wher it says "full/strict")
2) Turn off SSL on your host, remember to also remove any 301 redirects to https or else you will get a loop.

OR if you are using letsencrypt you can renew the SSL on your host, but then you have to turn off SSL on cloudflare first. This you will have to do every 60 days, I do not reccomend it. My own setup is like the 1) and 2) above.

It seems like it works again.

What i've done:
Clouflare → Crypto → instead of “Full (strict)” → i've changed it to only “Full”
(I've tried to change it to “Flexible” but then it says something about redirects and website didn't work)

Now my question is, does this affect my website in any way, can i let it be in “Full”?
 

irivi

Newbie
Joined
Dec 24, 2018
Messages
40
Reaction score
24
i am huge noob on website development and these things about websites

So am I but I just had a similar experience. I doubt you need any help at this point, but I will pretend this is a fresh issue as I just spent 3 days dancing around a similar problem, and want to talk about what I ended up doing. I am on a popular host, using a Let's Encrypt Certificate, and free CloudFlare.

Are you using LetsEncrypt?
https://community.letsencrypt.org/t...ing-full-strict-ssl-ubuntu-16-04-apache/36793
It expires every 60 days.

There is alot to unpack here and in the end the original question in the link was answered by restarting Apache, in my case the fix was not so simple.

I guess, i do not.

Is it some kind of plugin?

Let's Encrypt is an SSL certificate that is free. In order to have 'https' on a website you need an SSL from somewhere, Let's Encrypt is just one (very popular) option.

1) Set SSL to "flexible" on the Crypto tab on Cloudflare (same place as the screenshot above wher it says "full/strict")
2) Turn off SSL on your host, remember to also remove any 301 redirects to https or else you will get a loop.

OR if you are using letsencrypt you can renew the SSL on your host, but then you have to turn off SSL on cloudflare first. This you will have to do every 60 days, I do not reccomend it. My own setup is like the 1) and 2) above.

So setting it to flexible and turning off SSL on the host, and dropping 301 redirects may resolve the 526 error, but it will not necessarily be the correct fix.
I have a different website that has run and refreshed for >1year on a let's encrypt and a full (not strict) setting on CloudFlare without any regular tampering on my end.
But for the website I am currently working on that is not good enough for me. I want to run a Let's Encrypt and Full (strict-mode) on CloudFlare, which I may have to do every 60 days, and if so I will see what I want to do when I get there. But my previous experience on the full(not strict) website is that if everything is set up properly it will update itself.

Depending on how you configure your nginx

Might be on NGINX or might be on Apache.

if you didn't create any server side ssl certificates, log in to cloudflare account. select website. click to Crypto tab and select "Flexible" SSL option.

it is probably happening because of it is selected full or full strict. when full is selected, it means the cloudflare server will communicate with an ssl between your server and cloudflare. flexible option communicates with http and serves https to client.

Excellent description of how the settings translate, and flexible might fix the 526, but again I do not think this is the best solution.

It seems like it works again.

What i've done:
Clouflare → Crypto → instead of “Full (strict)” → i've changed it to only “Full”
(I've tried to change it to “Flexible” but then it says something about redirects and website didn't work)

Now my question is, does this affect my website in any way, can i let it be in “Full”?

Short answer, Yes you can let it be "Full".

But I personally wanted to use Full (Strict), see below..

This is a quote from somewhere on cloudflare help page:
"Also, there is no difference for the visitor of the domain between Full and Full (Strict). The difference is in the backend. The former means that the origin server must have a certificate, the latter that the certificate must be valid. The latter is preferred, but it’s not always possible to achieve, even though you should try."

And the following 2 quotes are from CloudFlare support page:
"Full ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.

The Full SSL option does not validate SSL certificate authenticity at the origin. A self-signed certificate is allowed at the origin web server.
To avoid 525 errors, before enabling Full SSL option, configure your origin web server to allow HTTPS connections on port 443 and present either a self-signed SSL certificate, a Cloudflare Origin CA certificate, or a valid certificate purchased from a Certificate Authority."

"Full (strict) ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The Full(strict) SSL option checks for SSL certificate validity at the origin web server. A self-signed certificate cannot be used. A Cloudflare Origin CA certificate or valid certificate purchased from a Certificate Authority is required to avoid 526 errors"

I was running into a scenario of various loops.. add 'www' through a 301 redirect, forcing 'https' everything breaking everything. In the end this was fixed by first fixing the SSL on my host and then the redirects, and then CloudFlare. It is my belief that by just setting it on Full to get rid of the 526 error "works" but is less than ideal.

In the end I got it to work on Full (Strict).. now to see what happens when that Certificate refreshes..

Good Luck if you or any1 else face this again ;)
 
Last edited:

Sam Zadworny

Regular Member
Joined
Mar 27, 2020
Messages
269
Reaction score
146
Website
pushmagic.co
It can be a Cloudflare issue. In "SSL/TLS" tab in CloudFlare, try to change encryption mode between "Flexible", "Full" and "Full (strict)".
 

Gogol

Jr. Executive VIP
Jr. VIP
Joined
Sep 10, 2010
Messages
8,671
Reaction score
13,422
TL;DR; (thread)..

You need to generate your certificate and configure your server to accept the https traffic, if you have Full, or Full (strict) mode on. If you are new at this, try using a program called certbot. It does everything for you after you run the wizard. For installing certbot, type (for ubuntu)

Code:
sudo apt-get install certbot

and then run the program.
 

javabro

I turn caffeine into code
Jr. VIP
Joined
Dec 2, 2015
Messages
1,892
Reaction score
6,593
isn't this a year or so old thread?
 

Gogol

Jr. Executive VIP
Jr. VIP
Joined
Sep 10, 2010
Messages
8,671
Reaction score
13,422
isn't this a year or so old thread?
When I see the original post, yupp. :)

Should still help a few who got the same problem though.
 
Top