If you’re seeing Cloudflare HTTP Error 526 (Invalid SSL Certificate) on your site, it means Cloudflare couldn’t verify the SSL certificate on your server. The result is that your visitors are blocked from accessing your website until it’s fixed.

In this guide, we’ll show you how to fix the Cloudflare HTTP Error 526 step by step. You’ll learn what the error means, the most common causes, and the exact fixes you can apply on your RunCloud-managed server to get your site back online quickly and securely.

Let’s get started!

What Causes Cloudflare HTTP Error 526?

The HTTP Error 526 is a specific error message generated by Cloudflare. It tells us that Cloudflare successfully connected to your origin web server (the server you manage with RunCloud), but it was unable to validate the SSL/TLS certificate presented by that server.

Your Visitor → Cloudflare → Your RunCloud Server

Your Visitor → Cloudflare → Your RunCloud Server

The error occurs on the second leg of this journey, between Cloudflare’s network and your server. Cloudflare is acting as a security guard, and when it approached your server, the identification (the SSL certificate) was either missing, expired, or not from a trusted source.

Cloudflare SSL/TLS Modes Explained (and How They Affect Error 526)

The root cause of the Error 526 almost always lies within your Cloudflare SSL/TLS encryption settings. Cloudflare offers several ways to secure the connection to your server. The mode you have selected determines how strictly Cloudflare validates your server’s SSL certificate.

You can find this setting in your Cloudflare dashboard under SSL/TLS > Overview:

  • Flexible: This mode encrypts traffic between the visitor and Cloudflare, but not between Cloudflare and your server. This is not the most secure method, but it is good enough for hobby sites.
  • Full: This mode encrypts the entire connection, but Cloudflare does not verify the identity of the SSL certificate on your origin server. It will accept an expired, self-signed, or unmatching CN/SAN entry for the requested hostname.
  • Full (Strict): This is a secure and recommended mode. It encrypts the entire connection and requires that your origin server has a valid, unexpired SSL certificate issued by a publicly trusted Certificate Authority (CA) such as Let’s Encrypt or Cloudflare’s own Origin server.

The HTTP Error 526 occurs when your Cloudflare SSL/TLS mode is set to Full (Strict), but the certificate on your RunCloud server does not meet these strict requirements.

Our goal is to fix the server’s certificate, not to downgrade this security setting.

How to Fix Cloudflare HTTP Error 526: Step-by-Step Guide

Follow these steps in order to diagnose and fix the problem efficiently.

Step 1 – Check Your Cloudflare SSL/TLS Encryption Settings

First, let’s be certain that the Full (Strict) setting is the trigger.

  1. Log in to your Cloudflare account and select your domain.
  2. Navigate to the SSL/TLS section from the left-hand menu.
  3. On the Overview tab, look for the SSL/TLS Encryption mode.
  4. Confirm that it is set to Full (Strict). If it is, proceed to the next step.

Step 2 – Verify Your SSL Certificate on RunCloud

Now, we need to inspect the SSL certificate that is installed on your server for the specific web application.

Method A: Check SSL Certificates in the RunCloud Dashboard

The RunCloud dashboard provides an easy way to check your SSL status.

  1. Log in to your RunCloud account and navigate to your server.
  2. Select Web Applications from the menu.
  3. Click on the name of the web application that is experiencing the error.
  4. In the application’s menu, click on SSL.

Here, you will see the current SSL status. Pay close attention to the Provider, the Status (it should be “Active”), and the Valid Until date to ensure it has not expired.

Method B: Check SSL Certificates with External Tools

For a definitive, external check, you can use an online SSL checker or a command-line tool like openssl. These tools verify what the outside world, including Cloudflare, sees.

Using the openssl command from your local terminal (replacing yourdomain.com with your actual domain and YOUR_SERVER_IP with your server’s IP address):

openssl s_client -connect YOUR_SERVER_IP:443 -servername yourdomain.com

In the output, look for the certificate details, including the “subject” (which should match your domain name) and the “notAfter” date (the expiration date).

Step 3 – Fix Common SSL Certificate Issues Causing Error 526

Based on what you discovered in Step 2, here are the most common scenarios and their solutions within RunCloud.

Fix 526 Error: No SSL Certificate Installed

If the RunCloud dashboard shows “No SSL Configuration” or an external check fails, you simply need to install a certificate.

In the RunCloud SSL section for your web application, select Let’s Encrypt as the SSL Provider. Ensure your domain’s DNS is pointing correctly to the server, then click “Install SSL Certificate”. RunCloud will automatically provision and install a trusted certificate.

Fix 526 Error: Expired SSL Certificate

Let’s Encrypt certificates are issued with a 90-day validity period. RunCloud attempts to automatically renew your certificates well before they expire. However, this process can occasionally encounter issues, such as temporary DNS validation problems or other specific server conditions, which may prevent the renewal from completing successfully.

If the automated renewal has failed, you can simply click the “Renew” button to trigger the process manually. This action immediately sends a new request to Let’s Encrypt to provision and install a valid certificate.

Fix 526 Error: Self-Signed Certificate

A self-signed certificate can be created by anyone and is used for testing within internal networks. Because it lacks external validation from a trusted third party, it cannot be automatically verified for authenticity.

Therefore, when Cloudflare’s SSL/TLS encryption is set to the highly secure Full (Strict) mode, it will always reject a self-signed certificate and trigger the HTTP 526 error. The most secure and permanent solution is to replace the self-signed certificate with a certificate from a trusted authority.

On the RunCloud platform, you can easily do this by removing the existing custom SSL configuration and using the integrated Let’s Encrypt functionality to install a valid, trusted certificate.

Fix 526 Error: Certificate Name Mismatch

This happens when the certificate does not cover all the hostnames for your site. For example, the certificate might only be for example.com, but visitors (and Cloudflare) are trying to reach www.example.com.

When installing the Let’s Encrypt certificate in RunCloud, make sure to add all domain variations you use (e.g., both the root domain and the www subdomain) to the list of domains to be included in the certificate.

Fix 526 Error: Incomplete SSL Certificate Chain

A trusted SSL certificate relies on a “chain of trust,” which includes intermediate certificates linking your domain certificate back to a trusted root CA.

This is rare when using RunCloud’s Let’s Encrypt integration, as it provides the complete chain. If you are installing a Custom SSL certificate from another provider, ensure you are pasting the entire certificate chain (often called fullchain.pem or a .crt file with multiple certificate blocks) into the “SSL Certificate” field, not just the single-domain certificate.

Suggested Read: Fixing redirect loop on Cloudflare SSL

Permanent Fix – Install a Cloudflare Origin Certificate

If you want a permanent and guaranteed solution, you can use a Cloudflare Origin Certificate. This is a free, long-lasting certificate that you install on your RunCloud server. It is not publicly trusted, but it is specifically trusted by Cloudflare’s network, which resolves the 526 error perfectly.

  1. In Cloudflare, navigate to SSL/TLS > Origin Server.
  2. Click Create Certificate. Follow the prompts, leave all the values to default, and generate the certificate.
Fixing HTTP error 526 with Cloudlfare origin certificate
  1. Cloudflare will show you an Origin Certificate and a Private Key. Copy both of these.
  2. In your RunCloud application’s SSL section, choose the Custom SSL option.
  3. Paste the Origin Certificate into the “Certificate” box and the Private Key into the “Private Key” box.
  1. Click Install SSL Certificate.

Temporary Workaround – Switch to “Full” Mode in Cloudflare

If your site is experiencing critical downtime and you need an immediate, temporary fix while you sort out the certificate issue, you can downgrade Cloudflare’s security.

Go to Cloudflare > SSL/TLS > Overview and change the mode from Full (Strict) to Full.

This will bring your site back online, but this is not a permanent solution.

Downgrading your Cloudflare security exposes a potential security gap between Cloudflare and your server. Your top priority should still be to install a valid certificate on your server and switch back to Full (Strict) mode as soon as possible.

Fix Cloudflare HTTP Error 526 with RunCloud

The Cloudflare HTTP Error 526 is not a server crash, it’s a warning that your SSL setup isn’t fully trusted. With the right configuration, you can resolve it quickly and make sure it doesn’t come back.

RunCloud makes SSL management simple.

From one dashboard, you can install Let’s Encrypt, renew certificates automatically, or configure a Cloudflare Origin Certificate for long-term stability. That means less downtime, fewer SSL headaches, and a more secure experience for your visitors.

Ready to fix Cloudflare errors and manage your servers with confidence? Start your free RunCloud trial today.