如何解决 Cloudflare 无效 SSL (error526)？

Posted 2023-02-22

【中文标题】如何解决 Cloudflare 无效 SSL (error526)？

【英文标题】：How to resolve Cloudflare invalid SSL (error526)?

【发布时间】：2022-01-11 01:40:18

【问题描述】：

我将我的网站托管从 Bluehost 移至 Inmotion，但该域目前在 Bluehost 上（它在 Bluehost 上有 Cloudflare）。 现在我将它移至 Inmotion 托管，并为它创建了一个 Cloudflare 帐户，以便在我的网站上进行设置。 我设置了 Cloudflare 并将域 DNS 更改为 Cloudflare DNS，但是现在当我从 Cloudflare 面板启动 Cloudflare 时，它​​在我的网站上显示 ERROR 526。我多次与 Inmotion 支持和 Bluehost 支持交谈，他们告诉我应该联系 Cloudflare 团队，因为问题出在 Cloudflare 那里，没有人回答我。

有关更多信息，我尝试了在 Cloudflare 社区或谷歌中找到的所有方法，但无法解决这个问题。 请帮帮我。

【问题讨论】：

这里是诊断此错误根本原因的良好信息来源：Community Tip - Fixing Error 526: Invalid SSL certificates

【参考方案1】：

当 Cloudflare 无法验证服务器的 SSL/TLS 证书时触发 Cloudflare 错误 526。 Cloudflare 中的 Full SSL(Strict) 模式通常会发生这种情况。

你在cloudflare中使用的是什么模式？完全（严格）模式？ 如果是，请查看：

Full (strict) mode is the most common reason for the 526 error. A quick fix to solve it would be to change the SSL mode to Full instead of Full (strict) from the Overview tab of Cloudflare SSL/TLS section for the particular domain.
If the issue persists even after changing the SSL mode to Full, then it would be more likely related to the origin web server’s SSL certificates. We need to verify that:
1. The certificate is not expired
2. The certificate is not revoked
3. The certificate is signed by a Certificate Authority such as GlobalSign, Verisign, GeoTrust, Comodo, etc, and is not a self-signed SSL certificate.
4. The requested domain name and hostname are in the certificate’s Common Name or Subject Alternative Name.
5. Origin web server accepts connections over port SSL port 443
6. Temporarily pause Cloudflare and cross-check the certificate with any SSL verification sites like  https://www.sslshopper.com to verify that no issues exist with the origin SSL certificate.
If the origin server is using an expired, revoked or self -signed certificate, the next step to fix this error would be to install a proper SSL certificate signed by a Certificate Authority.
Likewise, it is important to have the requested domain name and hostname in the certificate’s Common Name or Subject Alternative Name. If we have added a CNAME for the hostname on Cloudflare, the Common Name or SAN may also match the CNAME target.
Cloudflare can also issue origin certificates to you on request if you don’t want to pay for or acquire one from a third-party. The 526 error should disappear after the installation of a valid certificate on the origin server and the server it accept secure (HTTPS) connections.

如果你想改变其他模式：

在 CloudFlare 面板中 Domain -> SSL/TLS -> Overview -> Pick the mode)。当您选择一种模式时，它会显示加密的工作方式。

如果您在端点中使用 80/tcp 端口，则需要使用灵活模式（加密浏览器和 Cloudflare 之间的流量）。

但是，如果您在端点中使用 443/tcp 端口，则需要使用完全模式（端到端加密，使用服务器上的自签名证书）。对于可在您的虚拟主机中使用自签名 SSL 证书的完整模式。