CD
Cloudflare Developers2y ago
JantsoP

Error 526 when changing sub-domain IP to new server

Hello. I just moved my API's away from my main box to their own VPS with Hetzner. I changed their IP to match VPS IP via CF panel and yoinked the wildcard SSL from the old box as well. Now, everytime I try to access the domain, I get error 526 about Invalid SSL Certificate. I have copied the SSL over multiple times before with all new sub-domains that I have and never had issue before now. I even tried to change the old IP back and it worked like a charm after few seconds. But once I changed to the new IP, same issue comes again. I am literally out of ideas of what could be causing this issue. All other sub-domains work just fine with the wildcard SSL. Even my server sees the SSL and does not complain about. Same with SSL Shopper. Any help and/or ideas?
6 Replies
JantsoP
JantsoPOP2y ago
Domain not working: api.roitec.fi Domain working: docs.roitec.fi Same wildcard SSL is being used on both domains. Only difference is, that api was moved today from dedicated hardware to VPS box, but with same OS etc. Webserver is nginx.
Erisa
Erisa2y ago
When I try to directly access the origin for api.roitec.fi from a Cloudflare datacenter I get 
http: server gave HTTP response to HTTPS client
http: server gave HTTP response to HTTPS client
Whereas docs.roitec.fi works fine with the same request
JantsoP
JantsoPOP2y ago
I have HTTP->HTTPS redirect working which redirects to HTTPS if coming via HTTP ou hello... my nginx is 2 versions older than on old box hmmroll updated to latest and same error. Could this be that I might have discovered something odd in CF code?
Erisa
Erisa2y ago
Does it work if you bypass Cloudflare? e.g. curl -v https://api.roitec.fi --connect-to ::x.x.x.x --insecure where x.x.x.x is your Origin IP? You can also try curl on the server itself with 127.0.0.1 I suppose. And then do the same with both servers and compare. Because from our point of view, we send a HTTPS request to the origin but it doesn't return a valid HTTPS response back, so it fails
JantsoP
JantsoPOP2y ago
fml So I was missing listen 443 ssl; from the god damn config Then again, on the OG box I have no such thing well wierd
Erisa
Erisa2y ago
Odd Perhaps the old one inherited it from somewhere else

Did you find this page helpful?