Today, I unexpectedly discovered that one of my websites was showing an "Invalid SSL certificate (HTTP 526)" error, and the page couldn’t load properly. This was the first time I had encountered this issue. I began troubleshooting by checking the domain status, DNS settings, and server status, but I couldn’t find anything wrong.
Returning to the error page, I carefully read the message provided by Cloudflare, which included the following suggestion:
If you're the owner of this website:
The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server.
It became clear that the issue was related to the SSL certificate. So, I turned my attention back to the origin server for further investigation.
My origin server runs multiple websites using Nginx, but direct access to the server is not allowed. All the websites are routed through Cloudflare’s CDN services, which provide free and reliable SSL certificates. To simplify management, my origin server only serves HTTP traffic and does not provide HTTPS. After all, Cloudflare’s SSL service is trustworthy. I suspected that the issue might lie in Cloudflare attempting to access my origin server via HTTPS, leading to the error. Upon verification, this was indeed the case. Although my origin server’s Nginx setup had the HTTPS (port 443) enabled, I hadn’t configured valid SSL certificates for any domain.
I then revisited my Cloudflare settings and checked the SSL configuration for the affected domain. It turned out that Cloudflare had recently switched the SSL setting for my domain to "Automatic mode". Because my origin server had port 443 open, Cloudflare attempted to connect to it via HTTPS. However, since no valid SSL certificate was configured on the origin server, the connection failed, resulting in the error.
Once I identified the cause, the solution was straightforward: I simply switched the SSL setting from Automatic mode to Flexible mode. Flexible mode means:
Enable encryption only between your visitors and Cloudflare. This will avoid browser security warnings, but all connections between Cloudflare and your origin are made through HTTP.
This resolved the issue immediately.
This incident also reminded me of some Cloudflare email notifications I had received recently, which were related to SSL. At the time, I didn’t pay much attention to them, but they were likely when Cloudflare switched my domain’s SSL setting to Automatic mode. Cloudflare might have considered this an optimization, but they likely didn’t account for scenarios where the origin server has port 443 open without valid SSL certificates. This is especially common in environments like Nginx with multiple virtual hosts, where HTTPS on port 443 might only serve specific domains, while others could encounter errors when accessed via the same port.