526 Invalid SSL Certificate

The HTTP 526 Invalid SSL Certificate status code is an unofficial server error used by Cloudflare and Cloud Foundry's Gorouter. The error occurs when the reverse proxy is unable to validate the SSL/TLS certificate presented by the origin server or backend application.

Usage

Cloudflare is a content delivery network acting as a reverse proxy between clients and origin servers. The 526 error means the SSL/TLS handshake completed, but the origin server's certificate failed validation. This error appears when the Cloudflare SSL/TLS mode is set to Full (Strict), which requires a valid, trusted certificate on the origin.

Common causes include:

• The origin server's SSL certificate has expired.
• The certificate was issued by an untrusted or self-signed certificate authority.
• The certificate's common name (CN) or Subject Alternative Name (SAN) does not match the origin hostname.
• The certificate chain is incomplete (missing intermediate certificates).

Cloud Foundry's Gorouter also returns 526 when backend SSL verification is enabled and the backend presents a certificate signed by an unknown authority. The Gorouter logs this as backend_invalid_tls_cert and retries up to three times before returning the error to the client.

Example

A client sends an HTTPS request through Cloudflare. Cloudflare connects to the origin and performs the SSL/TLS handshake, but the origin's certificate has expired, triggering a 526 error.

Request

GET /dashboard HTTP/1.1
Host: www.example.re
Accept: text/html

Response

HTTP/1.1 526 Invalid SSL Certificate
Date: Sun, 02 Mar 2026 10:45:00 GMT
Content-Type: text/html
Server: cloudflare
CF-RAY: 8a1b2c3d4e5f6-SIN

<html>
<head><title>526 Invalid SSL Certificate</title></head>
<body>
<h1>Error 526</h1>
<p>Invalid SSL certificate</p>
</body>
</html>

How to fix

A 526 only occurs when the Cloudflare SSL/TLS mode is set to Full (Strict). In this mode, Cloudflare validates the origin's certificate against its trust store.

Install a valid, trusted SSL certificate on the origin. The certificate must meet all of these conditions:

• Not expired or revoked.
• Signed by a trusted certificate authority (not self-signed, unless added to the Custom Origin Trust Store).
• Includes the requested hostname in the Common Name (CN) or Subject Alternative Name (SAN) field.
• Contains the full chain: leaf certificate, all intermediate certificates, and the root CA.

Generate a free Cloudflare Origin CA certificate in the dashboard under SSL/TLS > Origin Server > Create Certificate. This certificate is trusted by Cloudflare for up to 15 years and eliminates third-party CA dependency for the origin connection.

For self-signed certificates, add the certificate to the Custom Origin Trust Store in the Cloudflare dashboard. This tells Cloudflare to trust the specific self-signed certificate during validation.

Temporarily pause Cloudflare and run the SSL Shopper SSL Checker or openssl s_client -connect origin:443 to inspect the certificate chain the origin presents. Missing intermediate certificates are a common cause of chain validation failures.

As a quick workaround, switch the SSL/TLS mode from Full (Strict) to Full. This skips certificate validation entirely but reduces security. Use this only as a temporary measure while fixing the origin certificate.

Takeaway

The 526 Invalid SSL Certificate status code is an error generated by Cloudflare or Cloud Foundry's Gorouter when the origin server or backend presents an SSL/TLS certificate the proxy is unable to validate.

See also

• 525 SSL Handshake Failed
• 520 Web Server Is Returning an Unknown Error
• Troubleshooting Cloudflare Errors
• HTTP status codes