Website SSL certificate says "invalid", however the certificate itself is not expired
Hi there,
I transferred my domain to CloudFlare on December 27th, 2023 and have been hosting my personal blog/website here since. I've setup a CF tunnel and use it access some self-hosted services, from time to time.
My core site (domain.com, www.domain.com) are hosted on GitHub pages, and have been for 1+ years now, without any issues.
I went to go add a new blog post and noticed my website is showing a 526 error code "Invalid SSL Certificate"; however, inspecting the cert in the browser indicates it is indeed active, having been issued March 8th and expiring June 6th, 2024.
I haven't changed any settings on my end, so I'd appreciate if I can get some guidance on how to resolve this error. I've confirmed nothing has changed on the GitHub side (in fact, I just added the new blog post and the GitHub actions completed successfully), but the content is not accessible.
The domain is my personal name so if possible, can I ask for 1:1 support so as not to dox myself/tie my domain to my Discord username?
19 Replies
Adding some partially "censored" screenshots to protect my identity; I can provide the RayID if needed
The Cert in the Browser is issued by Cloudflare, but the issue lies with the Cert served by your origin, which you wouldn’t see in your browser
The origin in this case being github, I'm assuming?
well that's rather annoying 😅
sorry, forgot to remove some info
@radakul not 100% sure on this, but maybe try messing with the SSL encryption modes?
Try out all of them besides "off"
I've had similar SSL problems and 90% of the time its that setting
the only one you should use is Full (Strict)
all the rest are insecure/should not be used
well, Full (Strict) or Off, if you don't want to support ssl
Yeah I guess that makes sense cause he's using github
also looking at this screenshot, dont you only need HTTPS rewrites on CF?
it's irrelevant but I was just wondering
Sometimes Github Pages's SSL can have issues. An easy way around this is to create a proxied CNAME at your apex pointing to github, like the one you have on your www (except proxied).
Even on Full (Strict) Cloudflare Proxy is perfectly ok if the CNAME target hostname = the one on the certificate.
Thanks folks. I have it set to strict mode. Website still is loading as of this morning and I think the failure is indeed on the github side, so I'll try toggling various settings until the site wakes up.
Strange this happened now when it hasn't been an issue before 🤷♂️
Finally got around to this, and resolved my issue. The issue was caused (for some reason) by the "proxied" setting of the 4 A records pointing to GitHub. When I disabled the proxy option from each A record, the site began responding.
Not sure if this is normal or not, given I have had this setup for some time with CF Tunnels (or maybe I changed it and didn't realize it/was seeing a page from cache) but figured I'd post my "solution" in case someone else stumbles on it
What was the setup with Tunnels?
The standard setup - proxied and pointing to the tunnel connector ID. I guess after I turned off my tunnel, I didn't put two and two together. I guess it doesn't fallback to DNS only automatically
Tunnels don’t have their own SSL at all, which might be why
They can connect to services that use SSL, but they themselves don’t
I’m going to guess that if you reenable the proxy, it should continue working now
I’m thinking that CF was intercepting GitHub’s attempt to issue a certificate, causing it to fail
Ah so you're thinking the order is disable tunnel on the DNS page, let github get the cert, then re-enable?
Tunnel is still turned off atm while I organize my self hosted services, so the only thing I have through CF atm is my domain and dns resolver
Yep, or, if it fits your use case, there is https://pages.cloudflare.com
Cloudflare Pages
Build your next application with Cloudflare Pages
I may migrate over just to keep everything seamless. Thanks for the tip 🙂